Northeast Health System (NHS) Information Privacy and Security

Transcription

1 Northeast Health System (NHS) Information Privacy and Security Subject: Electronic Communication Non-employees Date Effective: Date Revised: Date Reviewed: Applies to: A. All non-employed workforce members (users) including medical staff, other licensed independent practitioners, students, contracted workers, and business associates B. Any/all users connected to Northeast Hospital Corporation (NHC) electronic communication systems This policy is to be used in conjunction with the NHS Compliance Plan and all other entity- and/or Departmentspecific information privacy & security policy and procedure. This policy also aligns with The Electronic Communication Policy for all employee users PURPOSE: To describe the acceptable use of electronic communication devices and systems at NHC. Inappropriate use exposes NHC to risks including virus attacks, compromise of network systems/services, unauthorized disclosure of protected health information (PHI) and/or personal identifiers (PI), reputational loss, and/or liability. GENERAL POLICY: Users are to use the electronic communication system only as authorized by the organization. All users who are granted access must review and understand the information privacy and security policies and procedures for computer and system use and will be held accountable/responsible for all activities associated with their username and password. Use of the organization's electronic systems implies an understanding of and agreement to this policy. The electronic communication system includes, but is not limited to, computers, , fax machines, Internet access, external access to all NHC-owned systems, pagers, telephones (land lines & cell phones), voice mail and personal communication devices (i.e. Blackberry, Nextel, iphone, ipad, etc.) USER RESPONSIBILITY: Users must adhere to this policy at all times - when inside/outside the buildings of NHC and/or whenever using NHC systems. Each user is responsible for the content of all text and images he/she places or sends over the organization's electronic communications system or when using the organization s communication devices or systems. Users must therefore use discretion when writing messages and/or other electronic communications since they are considered business records, are the property of the organization and may be used in legal processes. They may be used by the organization as evidence in disciplinary proceedings. is a permanent form of communication and users are to keep in mind at all times that the contents of may be scrutinized at a later date. No or other electronic communication is to be sent which hides the identity of the sender, represents the sender as someone else without prior authorization, or uses an alias. Users are responsible for securing their PCs, workstations, and/or laptops including personal devices connected to NHC systems by locking or logging off when not in active use or unattended.

2 COMPUTER ACCESS (including and Internet access) is to be used for NHC-related purposes only. Users must abide by all existing NHC policies and procedures when using the organization's electronic or wireless communication system. All existing NHC policies apply to conduct when using all means of electronic communication as defined by this policy. For example, the organization's policies against discrimination and harassment fully apply to any and all electronic communication. Users must respect the copyrights, software licensing rules, property rights, and privacy of others. Users must maintain HIPAA privacy and data security especially when using, storing, or transmitting PHI and/or PI. Certain sites that contain social or inappropriate material will be blocked for all users. Inappropriate usage is prohibited and could lead to sanctions up to and including termination of contract, termination of computer system use, and/or criminal prosecution. Inappropriate usage is defined as downloading/accessing sites of a sexual nature, use of profanity, threatening behaviors, unlawful usage, etc. Individuals who need access to blocked sites for business appropriate reasons must seek written approval from their Chief and respective Vice President. Occasionally, sites are mis-categorized or may be blocked in error; these sites should be reported to the Help Desk for review by Information Systems. Users may not connect any personal computers, laptops, or devices to the NHC private network without prior approval by the Information System Security Officer. PRIVACY: No user should have any expectation of privacy in any communication, message, file, image or data created, sent, stored or received by or on the organization's equipment and/or systems. The organization has the right to access and monitor any and all aspects of its electronic communication system. Users are not to assume that using password protection, whether assigned by the organization or not, guarantees a right or expectation of privacy. The organization's monitoring and accessing of its system users may occur at any time, without notice, and without the user's permission. The organization reserves the right to review all user browsing transactions and Internet activity from company resources. The organization's monitoring of its system may include, but will not be limited to, accessing, recording, disclosing, inspecting, reviewing, retrieving and printing communications, logins and other uses of the system, as well as keystroke capturing and/or other network sniffing technologies. The reasons for which the organization may obtain such access include, but are not limited to: maintaining the system, preventing or investigating allegations of abuse or misuse of the system, ensuring compliance with software copyright laws, monitoring and ensuring work flow and productivity, complying with legal and regulatory requests for information and ensuring that the organization's operations continue appropriately during a user s absence or unavailability. The organization may store data or communications for a period of time after the data communication is created. From time to time, copies of such data or communications may be deleted. To ensure the integrity, confidentiality and security of the organization's data and communications, users are prohibited from storing organizationrelated information on personal computers or personal storage devices (i.e., flash drives, portable hard drives, etc.). All PHI and/or PI stored on organization-owned storage devices must be encrypted in accordance with Information Systems Departments Acceptable Encryption Policy.

3 USE OF PERSONAL COMMUNICATION DEVICES (i.e. cell-phones, Blackberry, iphone, ipad) Personal telephone calls: NHC recognizes that there are times when a user has to receive or make personal phone calls during work hours. However, these calls should be kept to a minimum in order to maintain professionalism and safe practice. If making and receiving personal phone calls becomes excessive and/or disruptive to a user s responsibilities, the user s Chief or NHC management will address the issue by way of sanctions via medical staff bylaws and/or contractual agreement. In an effort to be customer focused and minimize unnecessary noise, users are to at all-time set personal cell phones to silent. When authorized by the user s Chief or NHC management, due to emergency situations, users may set personal cell phones to vibrate mode. Cell phones are not to be used within three feet of clinical equipment. Texting and other personal communication device activity: Texting, listening to music and other activities for which personal communication devices may be used are to occur only during break periods and away from patient care or work areas. Pagers and portable devices are currently unsecure and not acceptable methods of sending PHI/PI between users. All organization wide internal s must be approved and sent by the appropriate Senior Manager/Vice President, and/or Marketing and Business Development Department. On-line social networking: Online social networking refers to the interaction of individuals through web-based social networking sites (i.e. Facebook, Twitter, YouTube, etc.) as well as the participation in chat rooms, on-line forums and electronic bulletin boards. NHC electronic communication system is not to be used to engage in social networking at any time, unless it is organization sponsored and/or on our Intranet (NIC). In addition, users are to be mindful of online conversations during personal time. User conduct, even when not working at NHC, can reflect on and impact NHC. Users are to exercise personal responsibility whenever involved in social networking. If the subject of the discussion is NHC, or those affiliated with NHC, users must be mindful of the following guidelines: *Do not disclose any information that would be protected by HIPAA, and/or would deem the patient recognizable by description. HIPAA privacy rules still apply, even if you are not working at NHC. *Whether publishing a blog or participating in someone else's blog, users are to make it clear that they are expressing their own views and opinions, and that they do not speak on behalf of NHC. Only those officially designated by NHC have the authority to speak on behalf of NHC. *Be respectful of potential readers. Do not use discriminatory comments, libel or slander when commenting about NHS/NHC, NHS/NHC management, NHS/NHC employees, or NHS/NHC competitors; *If users have any questions about the content of blogs/social network materials, they may seek guidance from a member of NHC management and/or the Privacy Officer; The failure to follow these guidelines may result in sanctions up to and including termination of contract and/or termination of computer use. NHC reserves the right to monitor all blogs/social networking sites for the purpose of protecting its interests. Other Prohibited Uses of Electronic Equipment: The following is a non-exhaustive list of different types/uses of electronic equipment or software for data that may be transmitted, received, downloaded, accessed, stored, created, sent or distributed which is strictly prohibited:

4 * Sending or forwarding non-encrypted PHI and/or PI to any system outside our internal GroupWise, such as business partners, other healthcare facilities, physician practices, AOL, Yahoo, Comcast, Gmail, etc. Users should also not set-up automated rules or forward from internal GroupWise system to outside systems. *Any accessing, downloading, sending, or publishing of any PHI, PI, and/or confidential patient or financial information; *Distribution of organization documents, financial reports, lists, competitive information, logos and images to any unauthorized inside or outside sources or organizations; *Solicitation or distribution in violation of NHS Solicitation, Distribution, Access and Raffles policy (see Compliance Plan) *Any messages or communications that contain objectionable/illegal language or material. Objectionable material is defined as pornographic, obscene, sexually explicit, or sexually oriented language, as well as discriminatory, defamatory or threatening language. No one may use the organization's system in a manner that may be construed by others as harassing or discriminatory based on race, color, national origin, citizenship status, pregnancy, veteran status, genetic information or any other protected class; *Use for purposes related to any illegal activities including, but not limited to illegal drugs, gambling, prostitution or weapons; *Use of any chain letters or non-business related mass- s; *Downloading unauthorized and/or unlicensed software programs, data, or other copyrighted and/or trademarked materials; *Transmitting copyright materials that violate software copyright laws, including copying, retrieving, modifying or forwarding such materials; *Use of another user s password, with or without permission. *Significantly tampering with or changing any configuration of an electronic communication device without prior authorization, including copying, destroying, deleting, distorting, removing, concealing, modifying or encrypting messages or files or other data on the organization s system without prior authorization. *Using the organization's system for commercial uses not intended to benefit the organization, except for those that are sponsored and are posted on our Intranet (NIC). * Users must not share their username and/or passwords or disclose this information to employees, or to anyone else * Only individually-assigned encrypted portable devices (i.e., USB drives) are to be used on NHC systems. Personally-owned portable devices are not to be plugged into the corporate network. *Users must not open attachments unless they are expected and have come from a known party as they may contain viruses, worms, or Trojan horse code * Exporting software, technical information, and/or encryption software/technology out of the United States may

5 be in violation of export laws and may be illegal. The Legal Services Department is to be consulted prior to export of any material that may be in question. * Introduction of malicious programs into the network or onto computers (i.e., viruses, worms, Trojan horse code, logic bombs) is prohibited. *Introduction of wireless routers into the NHC network without consent of the Information Systems Department is prohibited. * Effecting security breaches or disruption of network communication is prohibited (i.e., network sniffing, pinged floods, packet spoofing, denial of service, and/or forged routing information for malicious purposes) * Port scanning or security scanning is prohibited unless undertaken as part of an approved Information Systems Department process. * Executing any form of network monitoring which will intercept data not intended for the user is prohibited unless part of an approved Information System Department activity. * Circumventing the authentication or security of any user, network, or account (i.e., cracking) is prohibited. REFERENCES: HITECH HIPAA Privacy and Security modifications (45 CFR Parts 160 and 164) Massachusetts Data Security (201 CMR 17.00)