Acceptable Use Policy Mental Health Clinical Information System (PSOLIS) Mental Health Division November 2009
Acknowledgement: This document would not have been possible without the contribution of the PSOLIS Audit Steering Committee members; Theresa Marshall Mark Pestell Patrick Marwick Robert Edey David Ward Michael Kalynuik Mary Blake Sharon Mannion Kirsty Edoo Paul Jowett Donna Slattery Tom Pinder Creswell Surrao Consultant Clinical Governance Reviews, Office of the Chief Psychiatrist Representative Area Manager, South Metropolitan Area Health Service - Mental Health Representative Clinical Director, CAMHS North Metropolitan Area Health Service - Mental Health Representative Senior Program Officer, WA Country Health Service Mental Health Representative Manager Mental Health Information, Women and New Born and Child and Adolescent Health Service Representative Clinical Systems Coordinator, Bentley Health Service Mental Health Representative Systems Administrator, North Metropolitan Area Health Service Mental Health Representative A/Area Coordinator Mental Health Information System, South Metropolitan Area Health Service Mental Health Representative Application Manager PSOLIS, Health Information Network Representative Technical Lead PSOLIS, Health Information Network Representative Application Specialist PSOLIS, Health Information Network Representative Manager Mental Health Information System, Information Management and Reporting Directorate Representative Senior Program Manager, Statewide Mental Health Governance and Performance, Mental Health Division Representative Version Control: Purpose: Stipulate acceptable use of the mental health clinical information system PSOLIS Relevant To: PSOLIS Users Approval Authority: Effective Date: 01 Dec 2009 Review Date: Mental Health Operations Review Committee/PSOLIS Custodians 30 Nov 2014 Responsible Group: PSOLIS Management Group Enquiries Contact: Creswell Surrao, Senior Program Manager Tel: 9222 4099 Source Document: Acceptable Use Standard Computing & Communication Facilities Department of Health, Government of Western Australia
Table of Contents Introduction General Obligations To Whom Does This Policy Apply 1. Purpose 1.1 Policy Scope 2. Policy Statement 2.1 Responsible Use 2.2 General Security 2.3 Ethical Use of the PSOLIS Application 2.4 Record Keeping 2.5 Compliance Monitoring and Controls 2.6 Breaches 3. Background 4. Training 5. Related Legislative and other Documents 6. Appendices a. Operational Directive No: OD 0131/08 Access to the Mental Health Clinical Information System (PSOLIS) by Public Sector Organisations b. Operational Directive No: OD 0132/08 Access to the Mental Health Clinical Information System (PSOLIS) by Non-Public Sector Organisations c. Operational Directive No: 9222 4200 Mandatory Data Collection and Recording Requirements for Specialised Public Mental Health Services d. Operational Circular No: OP1917/05 Programs (Service Units) in the Mental Health Clinical Information System (PSOLIS) e. Operational Circular No: OP1916/05 Ambulatory (Community) Mental Health Data Collection g. Department of Health Western Australia Data Management Policy h. Department of Health Western Australia Data Custodianship Policy and list of assigned Data Custodians and nominated delegates for the PSOLIS Application i. Information Security Policy j. Portable Computer and Storage Devices Policy
Introduction This policy establishes the minimum obligations incumbent upon all staff both government and non-government who have access to the mental health clinical information system PSOLIS and must be read in conjunction with the Department of Health Western Australia Acceptable Use Standard Computing & Communications Facilities and all other policies and guidelines and Operational Directives pertaining to the PSOLIS application. General Obligations Staff must use the PSOLIS application in a responsible manner, taking into account the consequence their actions may have. Staff must not use the PSOLIS application; for any unlawful, illegal, malicious or improper purpose; to access without the relevant permissions any information held within the application; to disclose private or confidential information contained within PSOLIS for any purpose other than those reasons identified within the FOI Act and in keeping with Department of Health policies and guidelines for information disclosure; to enter information into PSOLIS that is offensive, defamatory, abusive or that violates any law or regulation; To Whom Does This Policy Apply? The Acceptable Use Policy applies to all Department of Health WA staff with access to the mental health clinical information system PSOLIS and includes but is not limited to: all staff, contractors, casuals, students and volunteers; operators of any Department of Health WA Services any external organisation or their staff and, organisations offering outsourcing arrangements for the Department of Health WA REMEMBER Staff will be required to provide an acknowledgment (by signing a Declaration Form issued by their respective service that this policy has been provided to them and read and understood by them). The signed Declaration Form will be held on each individual staff member s personal file.
1 Purpose This policy sets out acceptable use of the mental health clinical information system PSOLIS by all authorised users. The provision of this policy is intended as a minimum requirement that must be complied with and is not meant to be exhaustive. The Purpose of this policy is to: ensure users are aware of their role, responsibilities and obligations when using the PSOLIS application; prevent misuse of the application ; ensure users recognise the privilege of and confidential nature of patient information; inform users of Department of Health WA s obligation to routinely monitor for compliance with this policy; identify the consequences of breaching this policy; ensure staff members are not exposed to unethical behaviour such as privacy violations as a consequence of user actions; and avoid conduct that violates any written law whether or not expressly mentioned in this policy (e.g. The Western Australian Criminal Code 440A, which addresses unlawful use of computers); This policy complies with and should be read in conjunction with the Public Sector Code of Ethics and all other Professional Codes of Conduct associated with discipline specific professions. 1.1 Policy Scope Use of the mental health clinical information system PSOLIS includes all electronic transmissions to or through the application.
Policy Statements 2.1 Responsible Use Mental Health Clinical Information System PSOLIS must be used responsibly Unauthorised or inappropriate use of the mental health clinical information system PSOLIS could result in limitations on use, disciplinary actions, criminal penalties and/or staff and other users being held liable for any inappropriate use. Staff should act professionally in the workplace and refrain from using the mental health clinical information system PSOLIS for activities that are inappropriate. Misuse or inappropriate use of the PSOLIS application includes: a) For any personal use. Personal Use is any activity that is conducted for purposes other than accomplishing the official business of the DoHWA e.g. looking up information in PSOLIS regarding a relative or friend or a person associated with a sentinel event for no apparent clinical or administrative reason b) Use of PSOLIS application as a staging ground or platform to gain unauthorised access to other Department of Health computer systems or other illegal computer trespass for example, hacking; c) The intentional unauthorised internal or external transmission of any information subject to the Privacy Act for example, patient information. d) Using another person s digital authentication of logon and password e) Avoiding established security procedures, such activities include but are not limited to accessing all PSOLIS information and PSOLIS-derived sub-sets of information in any form by not complying with established access as per DoH WA policies and protocols. 2.2 General Security The PSOLIS application and any information contained therein must not be placed in jeopardy Staff should be aware that their use / access to the PSOLIS application is made with the understanding that such use may not be private. Use of the PSOLIS application by staff may be disclosed to employees within the Department of Health who have a need to know in the performance of their duties e.g. Operational Data Custodians for the PSOLIS application who are the: Director, Mental Health WACHS and delegate: Senior Program Manager, Mental Health WACHS The PSOLIS application contains monitoring tools and inappropriate use may be reported to authorised staff or the human resource Corporate Governance Directorate who investigate inappropriate use. The privacy rights of any individual staff member with
access to the PSOLIS application will not be violated unless proven that such rights have been misused / violated. To assist with general security staff should; Not share their PSOLIS access logon and password; Change their password if anyone else may know it; Activate the screen saver or lock the workstation if they are away from their desk; and; Always log out when finished using the system; REMEMBER Users are responsible for the use of their PSOLIS logon and password. If you believe it has been compromised in any way, you must report it immediately to your supervisor / manager. 2.3 Ethical Use of the PSOLIS application The PSOLIS application will only be used in an ethical manner in accordance with the Department of Health Western Australia Acceptable Use Standard Computing & Communications Facilities and all other Information Technology policies, guidelines and Operational Directives pertaining to the PSOLIS application. PSOLIS users should respect the privacy and confidentiality of client information and observe the provisions of the Commonwealth Privacy Act 1988 and comply with the Public Sector Code of Ethics when using the application. 2.4 Record Keeping Electronic records are part of the business records of the Department of Health WA Any records created within the PSOLIS application should form part of the health record of an individual consumer and should be accorded the same standards of professional documentation and printed, signed and retained in the same way. This is especially so as documents held electronically in the PSOLIS application are part of the business records of the Department of Health WA and are essential to the preservation of a proper audit trail.
2.5 Compliance Monitoring and Controls The Department of Health WA has a legal obligation to monitor access to the PSOLIS application. Individual area mental health services will routinely monitor and investigate staff access and usage of the PSOLIS application. This will occur to confirm compliance with the requirements of this policy initiative and to investigate possible incidents of breaches and unauthorised access. A breach for the purposes of this policy may include but not be limited to the following; Access to a client record in PSOLIS that is outside a PSOLIS user s usual permissions / primary access stream without a relevant clinical or administrative need. Monitoring process; A random selection of staff will be routinely selected for audit Where a record outside of their stream has been accessed it will be crossed checked to establish there is a corresponding service event of clinical / administrative relevance The period of audit will be the preceding two weeks access to the PSOLIS application PSOLIS Audit Reports; PSOLIS Local Administrators and Report Administrators are able to produce three different Audit reports for the purpose of monitoring access to client records at their Mental Health Service(s). Audit: User of Interest: Report Parameters; Date From Date To User Report Format PDF, Word or Excel. Report results display the designated user s access to all client and non-client records, including both in-stream and out-of-stream access, for specified date range. An Access Without Role column indicates any out-of-stream access 1 Access to clients that are blocked to the user running the report will appear in the results but shall be marked as non-client. 1 When Current Only Users selected Global Read Only Users are not listed unless they also have stream specific access
Audit: Out of Stream Access: Report Parameters; Date From Date To Stream Report Format PDF, Word or Excel Report results display All User access regardless of Stream permission to all client records that have been accessed within the specified stream, regardless of having stream roles or not at time of access 3 Audit: Client of Interest: Report Parameters; Date From Date To Client Report Format PDF, Word or Excel. Report results display user access to the designated client record. Includes all users who have accessed designated client record within the specified stream who do not have a role in any of the client streams at the time 2 Flowchart for accessing audit reports in PSOLIS; Access PSOLIS Administrative Reports Audit - Client of Interest Report regarding user access to a desiganated client record Audit - Out of Stream Access Report regarding All Users access to All client records for designated stream Audit - User of Interest Report regarding a designated user's access to all client records Review report information if apparant user access breach identify; user date/time of breach client cmhi/umrn follow protocol requirements contact user's MHS Manager seeking clarification for user access to client record Follow protocol if breach has occurred 2 Users that access client records via their Global Read Only privilege will still be indicated as an out-of streamaccess.
2.6 Breaches Disciplinary action may occur for any breaches associated with the PSOLIS application. Breaches to the PSOLIS application will be regarded as a serious matter and disciplinary or other action may be initiated at the discretion of the Operational Data Custodian for the employing Area Mental Health Service. The Operational Data Custodians or their delegates will not automatically assume an allegation of inappropriate use / access has occurred until all the facts have been assessed and a requirement for action is warranted. Where a breach has been identified staff will be required to provide a reason for the breach. Staff may then be informed that their access to the PSOLIS application will be routinely monitored for a period to be determined by the Operational Data Custodian or their delegate. At its absolute discretion, Area Mental Health Services reserve the right to suspend or terminate staff access to the mental health clinical information system PSOLIS if breaches have occurred. At the discretion of the Area Mental Health Service all instances of inappropriate access / use of the mental health clinical information system PSOLIS especially with regard to repeat offenders, will be reported to the Corporate Governance Directorate who may then report the incident to the Corruption and Crime Commission. REMEMBER The Acceptable Use Policy contains the following: Responsible Use General Security Ethical Use Record Keeping Compliance Monitoring and Controls Breaches
3 Background Staff who require access to the mental health clinical information system PSOLIS must do so in accordance with relevant State and Commonwealth legislation governing Information Technology. When using the mental health information system PSOLIS, Area Mental Health Services expect users to have a basic working knowledge of how the PSOLIS application works its functions and its type of uses relevant to their level of access and permissions. Area Mental Health Services will routinely assess users need for training and refresher training in the PSOLIS application. 3.1 Out-of-Hours / Remote Access Access to the PSOLIS application is routinely required outside of normal business hours and whilst providing mental health care to consumers in rural and remote services. Current practice involves phoning or visiting Hospital/Health Service sites to obtain information from the PSOLIS application. No information other than anecdotal evidence on the number of times this occurs is currently available. Where Area Mental Health Services consider providing remote access to health professionals to the PSOLIS application via a range of secure methods including but not limited to access from the Internet\Health Remote; via SecureClient and Secure Portal, the following should apply; Determine criteria and processes for approval Assess the appropriateness of individual applications for approval Request a regular audit report for the Remote Access User Group for individual Area Mental Health Services The confidentiality and security requirements remain similar to requirements for in-house / health service site access to the PSOLIS application. 4 Training Area Mental Health Services will ensure that all staff who are provided with access to the mental health clinical information system PSOLIS will have the requisite training in the application, its functions and uses relevant to their level of permissions. It is also an expectation that regular refresher training in the PSOLIS application will be provided by Area Mental Health Services. 5 Related Legislative and other Documents Department of Health Western Australia Operational Directives / Circulars and Policy initiatives; 1. Operational Directive No: OD 0131/08 Access to the Mental Health Clinical Information System (PSOLIS) by Public Sector Organisations
2. Operational Directive No: OD 0132/08 Access to the Mental Health Clinical Information System (PSOLIS) by Non-Public Sector Organisations 3. Operational Directive No: 9222 4200 Mandatory Data Collection and Recording Requirements for Specialised Public Mental Health Services 4. Operational Circular No: OP 1917/05 Programs (Service Units) in the Mental Health Clinical Information System (PSOLIS) 5. Operational Circular No: OP 1916/05 Ambulatory (Community) Mental Health Data Collection 6. Department of Health Western Australia Data Management Policy 7. Department of Health Western Australia Data Custodianship Policy Public Sector Standards / Legislation 1. Western Australian Public Sector Code of Ethics 2. Public Sector Management Act 1994 (WA) State and Commonwealth Legislation 1. Commonwealth of Australia Privacy Act 1988 2. Western Australian State Records Act 2000 3. Western Australian Mental Health Act 1996 Appendices: (Please click on the hyperlink for intranet please print and provide copies for Non-Public Sector Organisations with access to POSLIS) a. Operational Directive No: OD 0131/08 Access to the Mental Health Clinical Information System (PSOLIS) by Public Sector Organisations http://intranet.health.wa.gov.au/circularsnew/pdfs/12401.pdf b. Operational Directive No: OD 0132/08 Access to the Mental Health Clinical Information System (PSOLIS) by Non-Public Sector Organisations http://intranet.health.wa.gov.au/circularsnew/pdfs/12402.pdf c. Operational Directive No: 9222 4200 Mandatory Data Collection and Recording Requirements for Specialised Public Mental Health Services http://intranet.health.wa.gov.au/circularsnew/pdfs/12509.pdf d. Operational Circular No: OP1917/05 Programs (Service Units) in the Mental Health Clinical Information System (PSOLIS) http://intranet.health.wa.gov.au/circulars/pdfs/11905.pdf e. Operational Circular No: OP1916/05 Ambulatory (Community) Mental Health Data Collection g. Department of Health Western Australia Data Management Policy http://intranet.health.wa.gov.au/corpdocs/policy/data_management_policy.d oc h. Department of Health Western Australia Data Custodianship Policy and list of assigned Data Custodians and nominated delegates for the PSOLIS Application
i. Information Security Policy http://intranet.health.wa.gov.au/corpdocs/policy/information_security_policy. doc j. Portable Computer and Storage Devices Policy http://intranet.health.wa.gov.au/circularsnew/attachments/397.pdf