COLUMBIA UNIVERSITY EMAIL USAGE POLICY



Similar documents
Responsible Use of Technology and Information Resources

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Executive Vice President of Finance and

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION ELECTRONIC MAIL AND BULK ELECTRONIC DISTRIBUTION

PHI- Protected Health Information

Southern Law Center Law Center Policy #IT0004. Title: Policy

HIPAA Compliance & Privacy. What You Need to Know Now

APPENDIX 1: Frequently Asked Questions

Acceptable Use Policy

Technology Standard. Electronic Communications Standard PURPOSE SCOPE APPLICABILITY

Instruction. Neoga Community Unit School District #3 Page 1 of 5

Village of Hastings-on-Hudson Electronic Policy. Internal and External Policies and Procedures

2. Prohibit and prevent unauthorized online disclosure, use, or dissemination of personally identifiable information of students.

Barracuda User Guide. Managing your Spam Quarantine

Standard: and Campus Communication

Additional Information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Acceptable Use of ICT Policy For Staff

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement

COMPUTER USE IN INSTRUCTION

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

POLICIES & PROCEDURES

Gaston County HIPAA Manual

Healthcare Insurance Portability & Accountability Act (HIPAA)

Executive Memorandum No. 16

Pierce County Policy on Computer Use and Information Systems

Southwest Texas Telephone Company (SWTTC) Acceptable Use Policy for Asynchronous Digital Subscriber Line (ADSL)/Internet Customers

BUSINESS ASSOCIATE AGREEMENT RECITALS

MaxMD 2200 Fletcher Ave. 5 th Floor Fort Lee, NJ (201) support@max.md Page 1of 10

FLORIDA A&M UNIVERSITY BOARD OF TRUSTEES NOTICE OF PROPOSED AMENDED REGULATION

Authorized. User Agreement

Mentor Public Schools Board of Education 6.48 Policy Manual page 1 Chapter VI Pupil Personnel STUDENT , INTERNET AND COMPUTER USE

CITY OF SALINE CELL PHONE POLICY

BUSINESS ASSOCIATE AGREEMENT. Recitals

COMPUTER NETWORK FOR EDUCATION

13. Acceptable Use Policy

POLICY Adopted by Board of Education: 4/20/05

University Healthcare Physicians Compliance and Privacy Policy

Policy and Procedure for Internet Use Summer Youth Program Johnson County Community College

VICTOR VALLEY COMMUNITY COLLEGE DISTRICT ADMINISTRATIVE PROCEDURE. Computer Use - Computer and Electronic Communication Systems.

MARIN COUNTY OFFICE OF EDUCATION. EDUCATIONAL INTERNET ACCOUNT Acceptable Use Agreement TERMS AND CONDITIONS

Health Insurance Portability and Accountability Act (HIPAA) Overview

BOARD OF EDUCATION POLICY

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

PINELAND TELEPHONE COOPERATIVE DSL SERVICE AGREEMENT

TOWN OF COTTESLOE POLICY MANAGEMENT

Information Technology Acceptable Use Policy

My Docs Online HIPAA Compliance

Broadband Acceptable Use Policy

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

La Cañada Unified School District Personnel Use of Technology Regulations (AR ) Also known as the Staff Technology and Internet Use Policy

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

SAS TRUSTEE CORPORATION ( STC )

PURPOSE To establish standards for the use of College networks and computer accounts.

COMPUTER, NETWORK AND INTERNET USE POLICY

Federal Trade Commission Privacy Impact Assessment

Management: A Guide For Harvard Administrators

Medina County Policy Manual

This form may not be modified without prior approval from the Department of Justice.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

Revised: 6-04, 8-09, 1-12 REGULATION #5420

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

POLICIES AND REGULATIONS Policy #78

Transforming business through technology. Acceptable Use Policy & Data Centre Policies

About Your Policy Kit

district Legal Networking

HIPAA SECURITY AWARENESS

No filter is perfect. But with your help, MailCleaner may aim at perfection. Case Description Solution

Appendix G District Policies and Procedures

GUIDANCE October 31, 2008

Acceptable Use Policy. Version 2. August 15 th,

Tele-Media Cable Internet Acceptable Use Policy

THE SCHOOL DISTRICT OF PHILADELPHIA

Mount Wachusett Community College. Information Technology Acceptable Use Policies and Helpdesk Prioritization Practices

ACCEPTABLE USE POLICY

FAYETTEVILLE (AR) PUBLIC SCHOOLS COMPUTER/NETWORK USE POLICY

Terms of Use Table of Contents 1. General Information 2. Your Agreement to the Terms 3. Changes to the Terms 4. Provision of the Website

BUSINESS ASSOCIATE AGREEMENT

Acceptable Use Policy - NBN Services

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT FOR ATTORNEYS

ACCEPTABLE USE OF TECHNOLOGY

City of Venice Information Technology Usage Policy

Policy For Staff and Students

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

Web Server & Systems Usage Policy. The WGG Associates Limited Usage Policy has been developed with the following objectives:

EMPLOYEE BEHAVIOR & EXPECTATIONS CITY OF PORTLAND HUMAN RESOURCES ADMINISTRATIVE RULES 4.08 INFORMATION TECHNOLOGIES

Student use of the Internet Systems is governed by this Policy, OCS regulations, policies and guidelines, and applicable law.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

REGION 19 HEAD START. Acceptable Use Policy

Procedure Title: TennDent HIPAA Security Awareness and Training

BUCKEYE EXPRESS HIGH SPEED INTERNET SERVICE ACCEPTABLE USE POLICY

THE LUTHERAN UNIVERSITY ASSOCIATION, INC. d/b/a Valparaiso University IDENTITY THEFT PREVENTION PROGRAM

Acceptable Use Policy

Superintendent Policy Code: 4185 Page 1 of 7 EMPLOYEE USE OF COMPUTERS, THE INTERNET AND ELECTRONIC COMMUNICATIONS

Sendmail and PostX: Simplifying HIPAA Compliance. Providing healthcare organizations with secure outbound, inbound and internal

Transcription:

COLUMBIA UNIVERSITY EMAIL USAGE POLICY Published: October 2013 I. Introduction Email is an expedient communication vehicle to send messages to the Columbia University community. The University recognizes and has established the use of email as an official means of communication. However, use of an email system at the University requires adequate security measures to protect the Data (as such term is defined in the Columbia University Information Security Charter (the Charter ) [http://policylibrary.columbia.edu/information-security-charter] that is transmitted. Capitalized terms used herein without definition are defined in the Charter. II. Policy History The effective date of this Policy is November 1, 2013. This Policy and other Information Security Policies replace (A) the following University Policies: Electronic Information Resources Security Policy, dated March 1, 2007 Email Usage and Retention Policy, dated April 1, 2008 and (B) the following CUMC Policy: Communicating Protected Health Information via Electronic Mail (Email) at Columbia University Medical Center, dated January 21, 2004, and amended as of September 21, 2012 III. Policy Text A. Approved University Email Systems All email used to conduct University business must be transmitted via an Approved University Email System. For purposes of this Policy, an Approved University Email System is Cubmail, Lionmail, any CUIT or CUMC IT Email System and any other Email System that has been risk assessed and approved by the applicable Information Security Office. B. Prohibited Actions No User of University email may take any of the following actions: 1. Send or forward an email through a University System or Network for any purpose if such email transmission violates laws, regulations or University policies and procedures; 2. Use any Email System other than an Approved University Email System, to conduct University business or to represent oneself or one s business on behalf of the University. 1

Examples of Email Systems that are not approved include a personal email account or a personal Columbia Alumni Association account (i.e., anything@caa.columbia.edu). 3. Send nuisance email or other online messages such as chain letters; 4. Send obscene, harassing, offensive or other unwelcome messages; 5. Send unsolicited email messages to a large number of Users unless explicitly approved by the appropriate University authority; or 6. Impersonate any other person or group by modifying email header information to deceive recipients. C. Provisions Relating to Emails Containing Sensitive Data or Confidential Data Each User shall ensure that Sensitive Data or Confidential Data is transmitted by email only if the following conditions are met: 1. Except as provided in Section D below, all email communications of Sensitive Data or Confidential Data are encrypted before being transmitted. 2. Sensitive Data or Confidential Data are not transmitted in the Subject line of an email. 3. Before transmitting an email that contains Sensitive Data or Confidential Data, the User double-checks the message and any attachment to verify that no unintended information is included and that the proper document is attached. 4. Before transmitting an email that contains Sensitive Data or Confidential Data, the User double-checks the identity of the recipients. D. Provisions Relating to Email Within the Columbia Covered Entity For purposes of this Policy, the Columbia Covered Entity is CUMC and any other operation at the University that has been designated to be included in the University s Covered Entity. An Approved OHCA Email System is any CUIT Email System other than Lionmail, any CUMC IT Email System and any other Email System used within the CU/Hospital OHCA that has been approved by the CUMC Information Security Office. The following provisions relate only to email transmitted by Users within the Columbia Covered Entity: 1. Unencrypted EPHI may be transmitted internally if sent on an Approved OHCA Email System. 2. No automatic forwarding, redirection or automated delivery of email outside the CU/Hospital OHCA may be used. 3. Email messages containing EPHI must include the following confidentiality notice: This electronic message is intended to be for the use only of the named recipient and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us 2

immediately by contacting the sender at the electronic email address noted above, and delete and destroy all copies of this message. Thank you. 4. Any User who is unsure whether an email message or attachment contains Sensitive Data or Confidential Data must contact his/her supervisor or the HIPAA Privacy Officer before initiating the email communication. E. Communicating PHI to Patients 1. Patients have the right to request that the University communicate with them via email. If a patient requests email communications containing his/her PHI, the individual receiving the request must obtain a completed Patient Request for Email Communications from [http://www.cumc.columbia.edu/hipaa/pdf/patient_request_for_email_form.pdf] from the patient and provide the patient with the Important Information About Provider/Patient Email form [http://www.cumc.columbia.edu/hipaa/docs/cumcimptinfo_provider.pdf] prior to processing the patient s request. 2. All email communications with patients must be transmitted in encrypted form on an Approved University Email System. 3. The University reserves the right to deny a patient s request to communicate with him/her via email. For example, a patient s request for email communications may be denied by the University if a provider with an existing clinical relationship with the patient believes email communications with the patient should not occur. 4. All completed Patient Requests for Email Communications will be maintained by the office processing the patient s request for a minimum of 6 years. Approved requests are valid regardless of the time period so long as a hard copy of the form is maintained or the signed form is scanned into the patient s electronic medical record. 5. An approved Patient Request for Email Communications will be effective for only the health care provider identified in the Request. The patient must complete a separate Request for each health care provider with whom he/she wants to communicate via email and must revoke each Request to discontinue email communications. F. Privacy Expectations The University observes the Privacy Expectations described in the Columbia University Acceptable Usage of Information Resources Policy [http://policylibrary.columbia.edu/acceptable-usage-information-resources-policy] with respect to email. For reasons relating to compliance, security or legal proceedings (e.g., subpoenas) or in an emergency or in exceptional circumstances, the Office of the General Counsel may authorize the reading, blocking or deletion of Data. In particular, in the context of a litigation or an investigation, it may be necessary to access Data with potentially relevant information. Any such action taken must be immediately reported to the Office of the General Counsel and the applicable Information Security Office. 3

The University may record information about certain data elements of email messages in the course of monitoring or maintaining its email systems. These data include, but are not limited to: (a) the identity and address of the authenticated sender, (b) the address of the recipient, (c) the size of the message, (d) the transmission time, (e) the headers of the email, (f) the subject of the message, (g) the number of attachments and (h) certain features that are used to identify spam. CUMC uses a Data Loss Prevention (DLP) solution that filters outbound email messages and attachments to identify the presence of character patterns resembling Sensitive Data, examples of which could include social security numbers, credit card numbers, patient record numbers or certain identifiable data elements that constitute EPHI. Upon detecting a character pattern that might reflect the presence of Sensitive Data, the DLP appliance blocks the email and automatically sends a message to the sender instructing him/her to re-send the contents in encrypted form or to take comparable appropriate action. The filtering consists of automatic scanning for prescribed character patterns and does not permit reading the contents of the email. IV. Cross References to Related Policies and Other Documentation. The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto. 4

Appendix A Related Policies Acceptable Usage of Information Resources Policy http://policylibrary.columbia.edu/acceptable-usage-information-resources-policy Important Information about Provider/Patient Email http://www.cumc.columbia.edu/hipaa/docs/cumcimptinfo_provider.pdf Information Security Charter http://policylibrary.columbia.edu/information-security-charter Patient Request for Email Communications http://www.cumc.columbia.edu/hipaa/pdf/patient_request_for_email_form.pdf 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information