PURPOSE:
To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless access and file transfer protocol (FTP) transmission by MCG Health workforce members.
POLICY:
A. General
Ownership – MCG Health is the owner of all MCG Health electronic systems and intellectual property/data stored in them or transmitted from them.
a) All messages or data files originating from, transmitted from or received into the MCG Health electronic systems are considered the property of MCG Health.
b) MCG Health monitors and tracks system access and content to prevent theft or abuse of the system(s) and information and to reasonably ensure compliance with
applicable laws and regulations.
c) MCG Health reserves the right to monitor, access, and audit any exchange of e-mail, Internet traffic, wireless transmissions, FTP transmissions and phone voice traffic and messages for the purposes of reasonably ensuring the protection of legitimate business interests, proper utilization of MCG Health property and adherence to appropriate privacy and security practices.
d) E-mail, wireless transmissions, FTP transmissions and voice mail messages may be monitored and tracked without advanced notice to or consent by the workforce member.
B. E-Mail
E-mail is intended to be used as a business tool to facilitate communications and the exchange of information needed by workforce members to perform their assigned duties. An approved e-mail Confidentiality Notice is required and will be automatically added by the e-mail system on all messages sent to external recipients.
All e-mail messages and/or attachments that are transmitted outside the MCG Health
network (wired or secure wireless) and contain PHI or other confidential information need to be encrypted to protect the privacy and integrity of the information.
C. Internet Access
Internet access is intended to be used as a business tool for e-mail communication with covered entity clients customers and third party contractors and provide access to information needed by workforce members to perform their assigned duties.
MCG Health systems prevent will block certain non-business sites. Workforce members using MCG Health computers who discover they have connected with a web site that contains sexually explicit, racist, violent, or other potentially offensive material must immediately leave the site and notify the HIPAA Compliance Officer or designee so the site can be added to the blocked sites list. The ability to connect with a specific site does not in itself imply that workforce members of MCG Health systems are permitted to visit that site.
D. Phones
MCG Health phones (static and mobile) are intended to be used as a business tool by workforce members for communications with other MCG Health workforce members, covered entity clients and external third party contractors.
E. Wireless Networks and Access
Workforce members who are in travel status and use laptops to access MCG Health network or to send and receive e-mail shall reasonably ensure any communication is in accordance with this policy and procedure and shall only access MCG Health’ network via virtual private network (VPN).
F. FTP Transmission
MCG Health maintains a secure FTP web site solely for the purpose of exchanging files and transactions that contain PHI and other confidential information such as covered entity client data. Access to the secure FTP site will be strictly controlled. Only authorized workforce members will be assigned access to the secure FTP site.
The secure FTP site shall only be used for business purposes. It is not intended for personal use to exchange files or transactions. Such use of the secure FTP site will be considered a violation of this policy and any workforce member violating this policy will be subject to the appropriate sanctions. See Sanctions policy.
G. General Usage
Members of MCG Health’ workforce may use MCG Health e-mail, Internet, phones (static and mobile) and the MCG Health wireless network for personal use as long as the workforce member adheres to the requirements of this policy. Such use shall be prohibited during working hours. Personal use is limited to breaks and lunch. MCG Health secure FTP web site cannot be used for personal reasons.
PROCEDURE:
A. General:1. MCG Health management is responsible for determining the need for electronic systems access.
3. The supervisor will submit a request to the Web Operations Manager (client facing) or the Information Technology (IT) Manager (internal) or designee who is responsible for setting up new workforce member access or modifying existing access.
4. The HIPAA Compliance Officer or designee is responsible for periodically auditing access to and use of MCG Health electronic communication systems to reasonably ensure workforce members are following established policies and procedures and that PHI or other confidential information is not inappropriately transmitted electronically over an open network (Internet) unencrypted.
5. All audit reports generated following the periodic review shall be retained for a minimum of six years.
6. If, in the course of the audit, it is found that a workforce member is inappropriately using MCG Health electronic communication systems and/or sending PHI over an open
network unencrypted, the HIPAA Compliance Officer or designee shall inform the Privacy and Security Incident Response Team (PSIRT), the workforce member’s supervisor and the Director of Human Resources.
7. Such a discovery shall result in appropriate workforce member sanctions. 8. Compliance -
a) The HIPAA Compliance Officer or designee, the Web Operations Manager and the IT Manager or designee will monitor and track electronic system use as considered appropriate and also at regularly established times to meet the appropriate audit and regulatory requirements.
b) General monitoring of Internet access, e-mail use, wireless network use, FTP web site use and telephone systems by workforce members is the responsibility of the HIPAA Compliance Officer or designee. Inappropriate usage will be reported to the
workforce member’s supervisor and the Director of Human Resources.
c) Users of MCG Health’ electronic systems who are found in violation of any part of this policy are subject to sanctions. See Sanctions policy.
d) Sanctions for any violation of the Electronic Communication Policy may include suspension, termination and potentially legal action. Sanctions may also include removal of access privileges as well as remedial measures such as, but not limited to, counseling, changes in work assignments, or other measures designed to prevent future misconduct.
e) Violations of this policy and procedure that involve the unauthorized use or
notification. See the Privacy and Security Incident Response policy and the Breach
Notification policy.
B. E-Mail:
1. Workforce Member Responsibilities
a) Use of MCG Health e-mail services is primarily for business use. Personal use is allowed only as set forth in the General Usage section of this policy.
b) E-mail services include, but are not limited to: Internet e-mail including secure e-mail services, internal e-mail, wireless e-mail and web access.
c) Assigned e-mail account passwords shall not be shared with another individual. They are intended for the authorized workforce member only.
d) Users have an obligation to use proper etiquette in e-mail messages (e.g., no profanity, racial slurs, inclusion of pornographic pictures, etc.).
e) E-mail messages containing PHI or other confidential information that are
transmitted outside the MCG Health network (wired or wireless) network shall be encrypted and sent in a secure manner using [specific application selected by MCG Health}.
f) Users that need to transmit PHI outside the MCG Health information systems network via e-mail must complete training on MCG Health’ e-mail encryption procedures prior to transmitting PHI or other confidential information outside the organization using MCG Health’ e-mail system.
g) The workforce member’s name, e-mail address, MCG Health affiliation, and related information included with e-mail messages must reflect the actual originator of the message.
h) The following uses of e-mail are prohibited:
i. Engaging in any communication that is threatening, defamatory, obscene, offensive, or harassing
ii. Dissemination of Confidential Information (i.e., PHI, MCG Health, trade secrets, workforce personnel information or financial data), except for approved business purposes
iii. Use of e-mail system for sending chain letters, solicitation of funds, religious or political causes, gambling, illegal activities or for commercial purposes unrelated to MCG Health’ practice
iv. Copying or transmission of any document, software or other
v. Use of profanity, sexually explicit and discriminatory language within messages
vi. Attempting to gain access to another workforce member’s e-mail account, without permission
vii. Misrepresenting, obscuring, suppressing, or replacing a workforce member’s identity
viii. Sending PHI or other confidential Information over an open network (the Internet) without proper encryption
i) When workforce members receive unwanted and unsolicited e-mail (also known as spam), they must not respond directly to the sender. They shall delete the message. j) The Microsoft Outlook service, Out of Office Assistant, shall be utilized when a
workforce member is out of the office for an extended period of time.
k) E-mail attachments with the certain file extensions are quarantined (e.g. .exe, .vbs, .scr, .pps, .mpg, .wav, etc.). Other file types may be temporarily quarantined if they are associated with a virus transmission. Quarantined files can be obtained by contacting the Web Operations Manager or the IT Manager or designee. 2. Workforce members are required to reasonably ensure messages or attachments
containing PHI or other confidential information are encrypted and sent in a secure manner.
3. Workforce members who transmit PHI outside the organization shall comply with applicable regulatory requirements, contractual requirements and MCG Health policies and procedures regarding the disclosure of PHI or other confidential information to third parties.
4. Users shall follow applicable MCG Health policies and procedures regarding minimum necessary disclosures of PHI.
C. Internet Access:
1. Workforce Member Responsibilities
a) Use of MCG Health Internet access is primarily for business use. Personal use is allowed only as set forth in the General Usage section of this policy.
c) This policy applies when e-mail is sent from a workstation located at MCG Health facility, a remote location while accessing MCG Health network or for personal use when in travel status and not connected to MCG Health network.
d) Prohibited usage of MCG Health Internet services include:
i. Viewing, sending or soliciting sexually oriented or discriminatory messages, web sites or images
ii. Use of web based personal e-mail accounts for, but not limited to:
a. Dissemination of PHI or confidential Information, except for approved business purposes
b. Solicitation of funds, religious or political causes, gambling, or for illegal activities
c. Any threatening, defamatory, obscene, offensive, or harassing communications
d. Dissemination or printing of copyrighted materials (including articles and software) in violation of copyright and/or patent law without proper authorized by the copyright or patent owner
e. Attempting to gain access to another Internet account, without permission
f. Sending PHI or other confidential information over the Internet without proper encryption.
D. Phones:
1. User Responsibilities
a) The use of MCG Health phones (static and mobile) is primarily for business use. Personal use is allowed only as set forth in the General Usage section of this policy. b) MCG Health voice mail passwords shall not be shared or revealed to anyone else
besides the authorized workforce member.
c) Workforce members have an obligation to use proper etiquette when leaving voice mail messages and announcements.
d) Prohibited usage of MCG Health phones (static and mobile) includes:
i. Any communications or leaving voice messages that are threatening, defamatory, obscene, offensive or harassing
ii. Solicitation of funds, religious or political causes, gambling, or for illegal activities
e) Workforce members assigned a MCG Health mobile phone is responsible for protecting the phone from theft or damage.
f) If the mobile phone is lost or stolen, the workforce member will report the loss or theft to [designated manager responsible for mobile phone management and tracking] who will notify the mobile service provider to request deactivation of that account.
g) Mobile phones and smart phones (e.g., BlackBerry, Palm, iPhone, etc.) shall not be used to send any text or e-mail messages containing PHI.
E. Wireless Networks and Access: 1. Access to MCG Health network is secure. 2. Use is consistent with Workstation Use policy.
3. No PHI or other confidential information is sent from the laptop to an individual or entity outside of MCG Health organization using personal web based e-mail accounts.
4. Any PHI or confidential information sent while securely connected to MCG Health network via the company VPN is sent encrypted.
I have read the MCG Health Electronic Communication Policy and Procedure and understand my responsibilities as it relates to this policy and procedure. I also understand that if I violate this policy and procedure, I will be subject to sanctions up to and including termination and notification of law enforcement.
___________________________________________ ____________________
Workforce Member Signature Date
___________________________________________ ____________________ Director of Human Resources Signature Date
APPLIES TO:
HIPAA Compliance Officer Director of Human Resources Web Operations Manager
Mobile phone management designee
Privacy and Security Incident Response Team Workforce members