APPROVED BY: DATE: NUMBER: PAGE: 1 of 9



Similar documents
Information Security and Electronic Communications Acceptable Use Policy (AUP)

UNIVERSITY GUIDEBOOK. Title of Policy: Acceptable Use of University Technology Resources

LINCOLN UNIVERSITY. Approved by President and Active. 1. Purpose of Policy

Acceptable Use Policy - NBN Services

Commonwealth Office of Technology

Sample Policies for Internet Use, and Computer Screensavers

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

ACCEPTABLE USE POLICY

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

Delaware State University Policy

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

Acceptable Use Policy

Policy and Procedure for Internet Use Summer Youth Program Johnson County Community College

OLYMPIC COLLEGE POLICY

ELECTRONIC COMMUNICATION & INFORMATION SYSTEMS POLICY

City of Venice Information Technology Usage Policy

BRIGHAM AND WOMEN S HOSPITAL

EMPLOYEE ACCESS RELEASE AND AUTHORIZATION FORM MCS warehouse form No

1. Computer and Technology Use, Cell Phones Information Technology Policy

Revelstoke Board of Education Policy Manual

MARIN COUNTY OFFICE OF EDUCATION. EDUCATIONAL INTERNET ACCOUNT Acceptable Use Agreement TERMS AND CONDITIONS

Technology Department 1350 Main Street Cambria, CA 93428

EMPLOYEE COMPUTER NETWORK AND INTERNET ACCEPTABLE USAGE POLICY

SAS TRUSTEE CORPORATION ( STC )

COMPUTER USE IN INSTRUCTION

POLICIES AND REGULATIONS Policy #78

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

Acceptable Use Policy

BLOOMFIELD COLLEGE ACCEPTABLE USE POLICY

GUILFORD PUBLIC SCHOOLS ACCEPTABLE USE POLICY

COLLINS CONSULTING, Inc.

PROGRAM R 2361/Page 1 of 12 ACCEPTABLE USE OF COMPUTERS NETWORKS/COMPUTERS AND RESOURCES

COMPUTER, INTERNET, & USE POLICY

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy

COMPUTER, NETWORK AND INTERNET USE POLICY

Revised: 6-04, 8-09, 1-12 REGULATION #5420

Human Resources Policy and Procedure Manual

VICTOR VALLEY COMMUNITY COLLEGE DISTRICT ADMINISTRATIVE PROCEDURE. Computer Use - Computer and Electronic Communication Systems.

COMPUTER NETWORK FOR EDUCATION

2. Prohibit and prevent unauthorized online disclosure, use, or dissemination of personally identifiable information of students.

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

Forrestville Valley School District #221

The City reserves the right to inspect any and all files stored in private areas of the network in order to assure compliance.

City of Grand Rapids ADMINISTRATIVE POLICY

LOUISA MUSCATINE COMMUNITY SCHOOLS POLICY REGARDING APPROPRIATE USE OF COMPUTERS, COMPUTER NETWORK SYSTEMS, AND THE INTERNET

Internet & Cell Phone Usage Policy

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT

Administrative Procedure 3720 Computer and Network Use

R 2361 ACCEPTABLE USE OF COMPUTER NETWORK/COMPUTERS AND RESOURCES

How To Use Your Cell Phone At Renaissance Academy Charter School

State of Michigan Department of Technology, Management & Budget. Acceptable Use of Information Technology (former Ad Guide 1460.

SUBJECT: INFORMATION TECHNOLOGY RESOURCES I. PURPOSE

REGULATION ALLENDALE BOARD OF EDUCATION. PROGRAM R 2361/Page 1 of 7 USE OF COMPUTER NETWORK/COMPUTERS R 2361 USE OF COMPUTER NETWORK/COMPUTERS

Information Technology Acceptable Use Policy

Descriptor Code: EFE-P

STAR TELEPHONE MEMBERSHIP CORPORATION ACCEPTABLE USE POLICY FOR BROADBAND INTERNET SERVICES

Policy # Related Policies: Computer, Electronic Communications, and Internet Usage Policy

Niagara County Community College

COMPUTER /ONLINE SERVICES (Acceptable Use and Internet Safety)

R3321 ACCEPTABLE USE OF COMPUTER NETWORK(S)/COMPUTERS AND RESOURCES BY TEACHING STAFF MEMBERS

North Clackamas School District 12

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Practice Resource. Sample internet and use policy. Foreword. Policy scope. By David J. Bilinsky 1

Computer Network & Internet Acceptable Usage Policy. Version 2.0

Computer, Network, Internet and Web Page Acceptable Use Policy for the Students of the Springfield Public Schools

POLICY: INTERNET AND ELECTRONIC COMMUNICATION # 406. APPROVAL/REVISION EFFECTIVE REVIEW DATE: March 2, 2009 DATE: March 10, 1009 DATE: March 2014

Acceptable Use Policy

How To Monitor The Internet In Idaho

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

Terms and Conditions- OnAER Remote Monitoring Service

PRAIRIE SPIRIT SCHOOL DIVISION NO. 206, BOX 809, 121 KLASSEN STREET EAST, WARMAN, SK S0K 4S0 -- PHONE: (306)

Westchester Community College Student Technology Use Policy Version 2 / April 2015 Table of Contents

Acceptable Use Policy

Covered California. Terms and Conditions of Use

COMPUTER NETWORK AGREEMENT FORM

Clear Creek ISD CQ (REGULATION) Business and Support Services: Electronic Communications

POLICY Adopted by Board of Education: 4/20/05

Access to Electronic Health Records Policy Franciscan Health System

Pasadena Unified School District (PUSD) Acceptable Use Policy (AUP) for Students

Transcription:

1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless access and file transfer protocol (FTP) transmission by MCG Health workforce members. POLICY: A. General Ownership MCG Health is the owner of all MCG Health electronic systems and intellectual property/data stored in them or transmitted from them. a) All messages or data files originating from, transmitted from or received into the MCG Health electronic systems are considered the property of MCG Health. b) MCG Health monitors and tracks system access and content to prevent theft or abuse of the system(s) and information and to reasonably ensure compliance with applicable laws and regulations. c) MCG Health reserves the right to monitor, access, and audit any exchange of e-mail, Internet traffic, wireless transmissions, FTP transmissions and phone voice traffic and messages for the purposes of reasonably ensuring the protection of legitimate business interests, proper utilization of MCG Health property and adherence to appropriate privacy and security practices. d) E-mail, wireless transmissions, FTP transmissions and voice mail messages may be monitored and tracked without advanced notice to or consent by the workforce member. Incidental use of MCG Health Electronic Systems for personal use is permitted provided such use does not interfere with workforce productivity, business or is in conflict with workforce member responsibilities outlined in this policy.

2 of 9 B. E-Mail E-mail is intended to be used as a business tool to facilitate communications and the exchange of information needed by workforce members to perform their assigned duties. An approved e-mail Confidentiality Notice is required and will be automatically added by the e-mail system on all messages sent to external recipients. All e-mail messages and/or attachments that are transmitted outside the MCG Health network (wired or secure wireless) and contain PHI or other confidential information need to be encrypted to protect the privacy and integrity of the information. C. Internet Access Internet access is intended to be used as a business tool for e-mail communication with covered entity clients customers and third party contractors and provide access to information needed by workforce members to perform their assigned duties. MCG Health systems prevent will block certain non-business sites. Workforce members using MCG Health computers who discover they have connected with a web site that contains sexually explicit, racist, violent, or other potentially offensive material must immediately leave the site and notify the HIPAA Compliance Officer or designee so the site can be added to the blocked sites list. The ability to connect with a specific site does not in itself imply that workforce members of MCG Health systems are permitted to visit that site. D. Phones MCG Health phones (static and mobile) are intended to be used as a business tool by workforce members for communications with other MCG Health workforce members, covered entity clients and external third party contractors. E. Wireless Networks and Access MCG Health wireless networks are secure. Workforce members accessing MCG Health wireless networks shall adhere to the same policies and procedures as when accessing MCG Health wired network. This includes all requirements related to communication protocol, secure messaging outside of the MCG Health wireless network, etc.

3 of 9 Workforce members who are in travel status and use laptops to access MCG Health network or to send and receive e-mail shall reasonably ensure any communication is in accordance with this policy and procedure and shall only access MCG Health network via virtual private network (VPN). F. FTP Transmission MCG Health maintains a secure FTP web site solely for the purpose of exchanging files and transactions that contain PHI and other confidential information such as covered entity client data. Access to the secure FTP site will be strictly controlled. Only authorized workforce members will be assigned access to the secure FTP site. The secure FTP site shall only be used for business purposes. It is not intended for personal use to exchange files or transactions. Such use of the secure FTP site will be considered a violation of this policy and any workforce member violating this policy will be subject to the appropriate sanctions. See Sanctions policy. G. General Usage Members of MCG Health workforce may use MCG Health e-mail, Internet, phones (static and mobile) and the MCG Health wireless network for personal use as long as the workforce member adheres to the requirements of this policy. Such use shall be prohibited during working hours. Personal use is limited to breaks and lunch. MCG Health secure FTP web site cannot be used for personal reasons. PROCEDURE: A. General: 1. MCG Health management is responsible for determining the need for electronic systems access. 2. Each workforce member is required to read the policy and procedure.

4 of 9 3. The supervisor will submit a request to the Web Operations Manager (client facing) or the Information Technology (IT) Manager (internal) or designee who is responsible for setting up new workforce member access or modifying existing access. 4. The HIPAA Compliance Officer or designee is responsible for periodically auditing access to and use of MCG Health electronic communication systems to reasonably ensure workforce members are following established policies and procedures and that PHI or other confidential information is not inappropriately transmitted electronically over an open network (Internet) unencrypted. 5. All audit reports generated following the periodic review shall be retained for a minimum of six years. 6. If, in the course of the audit, it is found that a workforce member is inappropriately using MCG Health electronic communication systems and/or sending PHI over an open network unencrypted, the HIPAA Compliance Officer or designee shall inform the Privacy and Security Incident Response Team (PSIRT), the workforce member s supervisor and the Director of Human Resources. 7. Such a discovery shall result in appropriate workforce member sanctions. 8. Compliance - a) The HIPAA Compliance Officer or designee, the Web Operations Manager and the IT Manager or designee will monitor and track electronic system use as considered appropriate and also at regularly established times to meet the appropriate audit and regulatory requirements. b) General monitoring of Internet access, e-mail use, wireless network use, FTP web site use and telephone systems by workforce members is the responsibility of the HIPAA Compliance Officer or designee. Inappropriate usage will be reported to the workforce member s supervisor and the Director of Human Resources. c) Users of MCG Health electronic systems who are found in violation of any part of this policy are subject to sanctions. See Sanctions policy. d) Sanctions for any violation of the Policy may include suspension, termination and potentially legal action. Sanctions may also include removal of access privileges as well as remedial measures such as, but not limited to, counseling, changes in work assignments, or other measures designed to prevent future misconduct. e) Violations of this policy and procedure that involve the unauthorized use or disclosure of protected health information (PHI) or actual or suspected breaches of PHI shall be immediately reported to the HIPAA Compliance Officer for the purpose of activating the Privacy and Security Incident Response Team and initiating breach

5 of 9 notification. See the Privacy and Security Incident Response policy and the Breach Notification policy. B. E-Mail: 1. Workforce Member Responsibilities a) Use of MCG Health e-mail services is primarily for business use. Personal use is allowed only as set forth in the General Usage section of this policy. b) E-mail services include, but are not limited to: Internet e-mail including secure e-mail services, internal e-mail, wireless e-mail and web access. c) Assigned e-mail account passwords shall not be shared with another individual. They are intended for the authorized workforce member only. d) Users have an obligation to use proper etiquette in e-mail messages (e.g., no profanity, racial slurs, inclusion of pornographic pictures, etc.). e) E-mail messages containing PHI or other confidential information that are transmitted outside the MCG Health network (wired or wireless) network shall be encrypted and sent in a secure manner using [specific application selected by MCG Health}. f) Users that need to transmit PHI outside the MCG Health information systems network via e-mail must complete training on MCG Health e-mail encryption procedures prior to transmitting PHI or other confidential information outside the organization using MCG Health e-mail system. g) The workforce member s name, e-mail address, MCG Health affiliation, and related information included with e-mail messages must reflect the actual originator of the message. h) The following uses of e-mail are prohibited: i. Engaging in any communication that is threatening, defamatory, obscene, offensive, or harassing ii. Dissemination of Confidential Information (i.e., PHI, MCG Health, trade secrets, workforce personnel information or financial data), except for approved business purposes iii. Use of e-mail system for sending chain letters, solicitation of funds, religious or political causes, gambling, illegal activities or for commercial purposes unrelated to MCG Health practice iv. Copying or transmission of any document, software or other information protected by copyright and/or patent law, without proper authorization by the copyright or patent owner

6 of 9 v. Use of profanity, sexually explicit and discriminatory language within messages vi. Attempting to gain access to another workforce member s e-mail account, without permission vii. Misrepresenting, obscuring, suppressing, or replacing a workforce member s identity viii. Sending PHI or other confidential Information over an open network (the Internet) without proper encryption i) When workforce members receive unwanted and unsolicited e-mail (also known as spam), they must not respond directly to the sender. They shall delete the message. j) The Microsoft Outlook service, Out of Office Assistant, shall be utilized when a workforce member is out of the office for an extended period of time. k) E-mail attachments with the certain file extensions are quarantined (e.g..exe,.vbs,.scr,.pps,.mpg,.wav, etc.). Other file types may be temporarily quarantined if they are associated with a virus transmission. Quarantined files can be obtained by contacting the Web Operations Manager or the IT Manager or designee. 2. Workforce members are required to reasonably ensure messages or attachments containing PHI or other confidential information are encrypted and sent in a secure manner. 3. Workforce members who transmit PHI outside the organization shall comply with applicable regulatory requirements, contractual requirements and MCG Health policies and procedures regarding the disclosure of PHI or other confidential information to third parties. 4. Users shall follow applicable MCG Health policies and procedures regarding minimum necessary disclosures of PHI. C. Internet Access: 1. Workforce Member Responsibilities a) Use of MCG Health Internet access is primarily for business use. Personal use is allowed only as set forth in the General Usage section of this policy. b) Users are not to use MCG Health provided Internet connections to listen to radio stations, or watch broadcast video. Exceptions are made for strictly business related broadcasts for training, knowledge acquisition and transfer, as well as other business related information content delivery.

7 of 9 c) This policy applies when e-mail is sent from a workstation located at MCG Health facility, a remote location while accessing MCG Health network or for personal use when in travel status and not connected to MCG Health network. d) Prohibited usage of MCG Health Internet services include: i. Viewing, sending or soliciting sexually oriented or discriminatory messages, web sites or images ii. Use of web based personal e-mail accounts for, but not limited to: a. Dissemination of PHI or confidential Information, except for approved business purposes b. Solicitation of funds, religious or political causes, gambling, or for illegal activities c. Any threatening, defamatory, obscene, offensive, or harassing communications d. Dissemination or printing of copyrighted materials (including articles and software) in violation of copyright and/or patent law without proper authorized by the copyright or patent owner e. Attempting to gain access to another Internet account, without permission f. Sending PHI or other confidential information over the Internet without proper encryption. D. Phones: 1. User Responsibilities a) The use of MCG Health phones (static and mobile) is primarily for business use. Personal use is allowed only as set forth in the General Usage section of this policy. b) MCG Health voice mail passwords shall not be shared or revealed to anyone else besides the authorized workforce member. c) Workforce members have an obligation to use proper etiquette when leaving voice mail messages and announcements. d) Prohibited usage of MCG Health phones (static and mobile) includes: i. Any communications or leaving voice messages that are threatening, defamatory, obscene, offensive or harassing ii. Solicitation of funds, religious or political causes, gambling, or for illegal activities iii. Attempting to gain access to another workforce member s voice mail account iv. Making long distance phone calls for personal reasons

8 of 9 e) Workforce members assigned a MCG Health mobile phone is responsible for protecting the phone from theft or damage. f) If the mobile phone is lost or stolen, the workforce member will report the loss or theft to [designated manager responsible for mobile phone management and tracking] who will notify the mobile service provider to request deactivation of that account. g) Mobile phones and smart phones (e.g., BlackBerry, Palm, iphone, etc.) shall not be used to send any text or e-mail messages containing PHI. E. Wireless Networks and Access: 1. Access to MCG Health network is secure. 2. Use is consistent with Workstation Use policy. 3. No PHI or other confidential information is sent from the laptop to an individual or entity outside of MCG Health organization using personal web based e-mail accounts. 4. Any PHI or confidential information sent while securely connected to MCG Health network via the company VPN is sent encrypted. I have read the MCG Health Policy and Procedure and understand my responsibilities as it relates to this policy and procedure. I also understand that if I violate this policy and procedure, I will be subject to sanctions up to and including termination and notification of law enforcement. Workforce Member Signature Date Director of Human Resources Signature Date APPLIES TO: HIPAA Compliance Officer Director of Human Resources Web Operations Manager Information Technology Manager

9 of 9 Mobile phone management designee Privacy and Security Incident Response Team Workforce members REFERENCES: HIPAA Security Rule, 45 CFR 164.312(a)(1), 164.312(c)(1), 164.312(e)(1)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information