LifeWays Operating Procedures

Transcription

1 GUIDELINES AND REQUIREMENTS I. PURPOSE To define the security, privacy and professional standards and considerations regarding electronic mail communication. II. SCOPE This procedure covers appropriate use of any sent from a LifeWays address and applies to all employees, contractors, students, and volunteers operating on behalf of LifeWays. III. DEFINITIONS The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical clients include Microsoft Outlook, Gmail, Yahoo and Hotmail. Forwarded resent from an internal network to an outside point. Chain or letter sent to successive people. Typically, the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed. Protected Health Information (PHI) PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. Sensitive information Information is considered sensitive if it can be damaging to LifeWays or its customers' reputation or market standing. Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside LifeWays, who do not have a need to know that information. U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Mass Message A single message sent to a large number of recipients all at the same time Phishing The attempt or act of defrauding a network user by posing as a legitimate entity, usually through , in order to steal or leverage sensitive information for financial gain. Page 1 of 8

2 IV. PURPOSE A. The purpose of this procedure is to outline the guidelines that must be followed to help the employee make the best use of the electronic mail resources at his or her disposal while following practices that ensure the protection of confidentiality and minimize the potential threats to the LifeWays information systems infrastructure. V. COMMUNICATION PRIVILEGES & MONITORING A. The telephone, facsimile and computer, including the system, are tools to ensure efficient communication. These tools, provided by LifeWays, are necessary for carrying out day-to-day business communication at LifeWays. Complaints of improper use of these communication systems will be investigated as necessary to ensure compliance with this procedure. B. As the communication tools provided by LifeWays are not employee rights; employees should have no expectation of privacy in their communications including those via the telephone, voic , facsimile or computer systems. Employees should know that even if an is deleted from their computer screens, it is not deleted from the system. Electronic messages are archived for at least two (2) years. Private passwords assigned or created by employees to enable their access does not make private, since these messages can still be accessed. Additionally, employee messages sent and received through a personal, Web-based account (e.g. Yahoo) on a company-owned computer are NOT private either. LifeWays reserves the right to monitor any data and communications on any employer-provided telecommunication and computer systems. VI. ACCEPTABLE USE AGREEMENT FOR A. The agency shall implement an Acceptable Use Agreement between LifeWays and the individual employee to identify the user s responsibilities in protecting information and ensuring appropriate use of the agency s technology resources. B. This agreement shall address the acceptable use of electronic mail. The employee will receive and sign the agreement at the time of hire and annually thereafter during annual training. (Refer to Attachment 1 for a copy of the Acceptable Use Agreement for Electronic Mail.) VII. PROHIBITED USE OF ELECTRONIC MAIL A. The following are some specific examples of prohibited usage of systems. This list is not to be considered all-inclusive. Page 2 of 8

3 1. Do not use for urgent or time-sensitive communications, unless this is the sole source of communicating the information. 2. Do not use addresses for marketing purposes except as described in the LifeWays Marketing & Public Relations policy. 3. Do not share accounts with anyone, including family members or co-workers. B. Further questions regarding appropriate use of electronic mail should be directed to the employee s supervisor or the Director of Information Technology. VIII. GENERAL RULES FOR ENSURING CONFIDENTIALITY OF ALL ELECTRONIC MAIL CONTAINING PROTECTED HEALTH INFORMATION (PHI) A. Minimum Necessary: When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make every effort to limit the use or disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Simply being an employee within a covered entity does not allow you access to protected health information unless you have a need to know to perform your essential job functions. B. Users of telecommunication systems, such as , are in a uniquely important position to uphold privacy and protection of information, as they have the capacity to forward, print or circulate any message. As a result of being in this position, users must adhere to the following general rules: 1. Users should use discretion and confidentiality protections equal to or exceeding that which is applied to written documents. 2. PHI received or transmitted via electronic mail must be protected using encryption. A password-protected document is not necessarily encrypted. (Refer to LifeWays procedure Use and Disclosure of Protected Health Information for general privacy and security policies regarding information technology.) 3. The LEO Message system shall be used to communicate issues pertaining to consumer s treatment for users within the CMH system, as this is a secure platform for case discussion that includes PHI. The LEO Message system shall not be used for general, operational s that are not consumer-specific. Communication of this type (not consumer-specific) should be conducted through the LifeWays primary (Outlook 4. Printers must be operated in a secure manner to protect information confidentiality in an area that is accessible to staff only and not to consumers or visitors. Printed materials must be retrieved immediately. Page 3 of 8

4 5. Basic communication systems are not inherently secure. sent via the Internet and other external systems can be intercepted and read by individuals other than the intended recipient. Therefore, when is used for communication of confidential or sensitive information, specific measures must be taken to safeguard the confidentiality of the information. The safeguard measures are as follows: 6. The recipient s address should be confirmed before sending. Obtaining an e- mail address from a directory is not proof that the will go to the proper recipient. If the sender is unsure of the accuracy of the recipient s address, contact should first be made (by any means, including ) to confirm that the address is correct. 7. All communications containing PHI must be encrypted. This can be accomplished by: a. Typing the word, Confidential in the subject line of Outlook, when using the LifeWays system. b. originating from a LifeWays employee account (i.e. lifewayscmh.org) sent to a LifeWays employee account is already encrypted. No further encryption is required when sending PHI. Other guidelines such as Minimum Necessary and Need to Know still apply. 8. The subject line should also include a notation referring to the sensitive nature of the , to further safeguard the confidentiality of electronically submitted data. 9. subject lines cannot be encrypted and shall therefore never include PHI. 10. The signature block should include the following statement for all communications: a. Confidentiality Note: The information transmitted is intended for the person or entity to whom or which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is strictly prohibited. If you receive this in error, please notify the original sender immediately by return and delete this message along with its attachments from your computer. 11. The use of distribution lists is prohibited when an contains PHI. 12. Double-check all address fields prior to sending messages, including to, cc, and bcc. 13. PHI must only be distributed to those with a legitimate need to know. 14. Distribution of PHI other than for treatment purposes is restricted to the minimum amount that is reasonably necessary information to use or disclose. Page 4 of 8

5 15. Distribution of PHI outside of LifeWays constitutes a disclosure of PHI and shall only be done with prior authorization from the consumer and shall also be tracked and logged in accordance with the HIPAA regulation. 16. The option to request a read receipt is recommended as a method to ensure delivery to the intended recipient. 17. For extended absences, an employee shall either have forwarded to their Supervisor at LifeWays or have an auto-reply message stating the employee cannot answer the at this time and providing instruction on alternative methods of contacting LifeWays. 18. The LifeWays electronic medical record (EMR) provides a secure internal messaging system, and should be used to communicate protected health information for the purposes of coordinating treatment with other healthcare providers that have a release to exchange information. IX. CORRESPONDENCE WITH CONSUMERS A. Corresponding with consumers over should be limited and only occur when the user can communicate in a manner that does not disclose protected health information and after a written authorization is obtained from the consumer. B. If the situation escalates, users must be able to re-direct the consumer to communicate through a phone call or office visit. X. PERSONAL USE A. The LifeWays system is provided to employees by the agency to conduct business activities. LifeWays shall not to be used as personal . XI. MASS MESSAGES A. In addition to the risk that is presented by sending mass- s, mass s generate a large amount of data that must be maintained by the agency. Therefore, mass mailings sent from a LifeWays account shall be infrequent and made with a high level of discretion. B. External Mass mailings that include external recipients and are delivered from Microsoft Outlook or Constant Contact (the company s marketing system) must be approved by the employee s Supervisor before sending. C. Internal LifeWays has provided the distribution group lwteams for internal mass mailings. This distribution group is available to all employees, but must also be used Page 5 of 8

6 with a high level of discretion. Employees shall adhere to the following guidelines: 1. Personnel related s, including employee benefit fundraisers, must be coordinated by the Human Resources Department. Related communication to all-staff that utilizes the lwteams distribution group, or individual addresses, must be approved by or delivered from a Human Resources team member. 2. Company activities, including Perks team activities or other company-wide events, must be coordinated by the Perks Team. Related communication to all-staff that utilizes the lwteams distribution group, or individual addresses, must be approved by or delivered from a Perks team member or the Perk team leader. 3. Individual employee activities, such as personal fundraisers or selling, shall not be communicated to all-staff using the lwteams distribution group. LifeWays supports individual employee activities and selling, but this must be communicated through alternative means, such as the Employee Activities Bulletin Boards in the company Break Room. 4. When an employee receives an message sent to lwteams or any other distribution group, the recipient should only use the, Reply all option when the reply pertains to everyone on the distribution list. Otherwise it is more desirable to use the, Reply option, responding only to the individual who originated the . D. Employees shall follow the above guidelines and seek clarification from their immediate supervisor on other unusual circumstances that must be communicated to all-staff using the lwteams distribution group. XII. SPAM AND VIRUS PROTECTION A. LifeWays uses Microsoft Exchange Online service. Exchange Online is a component of the LifeWays Office 365 Enterprise Level 3 subscription, purchased annually from Microsoft. B. Exchange Online Protection, included with Exchange Online, provides inbound and outbound spam filtering, malware and virus filtering, and quarantine. C. Employees will receive a Spam Notification message when a potentially dangerous is captured by the filtering system. Employees have the option to release the from quarantine, report the as not junk or simply leave it in quarantine. If a sender is not recognized, the user should leave the message in quarantine. D. Employees should never click on a link in an message that is not from a recognized sender. Never open an that seems suspicious. Phishing is one of the most common tools cybercriminals use to compromise IT networks, breach security measures, exact Page 6 of 8

7 ransoms and steal data. Employees should immediately direct concerns about questionable to the Information Technology Team. XIII. PROFESSIONALISM A. Employees must remember that all activities from a LifeWays communications system will be regarded as activities authorized by LifeWays. Employees shall not create or forward communications that contain abusive or objectionable language, that defame or libel others, or that infringe on the privacy rights of others, or which would otherwise violate employer policies, including, but not limited to, the Workplace Conduct policy. B. Employees must recognize that communications can be sequestered for local, state and federal investigations. C. Employees may not delete, alter, re-configure computer hardware or software or use the passwords and encryption keys of other employees to gain access to other employee s communications systems. D. Employees must take extra effort to ensure every communication is conducted in a professional, ethical and confidential manner. In addition to requiring each to have professional and respectable content within the body of the , LifeWays requires that employees utilize a standard format and signature block. This allows the company to communicate a consistent and professional image to internal and external customers E. Guidelines for format: 1. No backgrounds 2. No logos, graphics except those specifically sanctioned by LifeWays 3. Subject line is specific (is not null) 4. Subject line can never contain PHI 5. Subject line includes the word Confidential for that contains PHI 6. Salutation and closing is included 7. Standard Company Signature Block is used, which includes contact information and Confidentiality Statement F. Standard Company Signature Block: First and Last Name, Credentials (if Applicable) Job Title LifeWays Community Mental Health Proudly Serving Jackson & Hillsdale Counties Direct Line 10-Digit Phone Number 10-Digit Fax Number Page 7 of 8

8 LifeWays Community Mental Health, in partnership with our community and provider network, inspires hope and equips individuals on their journey toward recovery and wellness. Confidentiality Note: The information transmitted is intended for the person or entity to whom or which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is strictly prohibited. If you receive this in error, please notify the original sender immediately by return and delete this message along with its attachments from your computer. XIV. ENFORCEMENT A. Employees will be expected to follow the guidelines within this procedure and seek out the necessary training and education from the Information Technology Team where needed to support compliance. B. Any employee found to have violated this procedure may be subject to disciplinary action in accordance with Human Resources policies and procedures. ATTACHMENTS Acceptable Use Agreement for Electronic Mail (LW # A) Instructions for changing your signature block in Outlook (LW # B) REFERENCES Audience: LifeWays Board/Staff LifeWays Provider Network U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) LifeWays Policy Information Systems and Risk Management LifeWays Operating Procedures Use and Disclosure of Protected Health Information Acceptable Internet Use HISTORY * Formerly Guidelines and Requirements Effective 05/01/2008 Reviewed/Revised: 05/12 7/14, 11/14, 2/17 Page 8 of 8

9 Acceptable Use Agreement Electronic Mail User Responsibilities Introduction The agency provides employees with electronic mail to support effective, efficient communication both internally and externally. is necessary for carrying out day-to-day communication at LifeWays. These guidelines are intended to help you make the best use of electronic mail, while following practices that ensure the protection of confidentiality and minimize potential threats to the agency s IT infrastructure. You should understand the following All electronic mail activity is monitored and logged and can be sequestered for local, state and federal investigations. All electronic mail coming into or leaving the agency is scanned for viruses and offensive materials. The agency reserves the right to monitor communications on any and all devices provided by LifeWays. Users shall have no expectation of privacy in anything they store, send or receive using the agency s electronic mail resources. The agency may monitor messages without prior notice. LifeWays IT team uses a multi-tiered approach to maintaining a secure environment. Users play a key role in and data security. sent from one LifeWays account to another is inherently more secure than sent to external recipients. Therefore, when is used to send Protected Health Information (PHI), specific measures must be taken to safeguard the confidentiality of that information. All users of the agency s electronic mail resources must comply with the following guidelines Protect identifying consumer health information by using only the minimum necessary to accomplish the intended purpose. Use the secured messaging system within the electronic medical record system (LEO) when protected health information (PHI) is necessary in communications. s containing PHI, going to non-lifeways recipients (i.e. non-lifeways addresses), MUST be encrypted. Type the word CONFIDENTIAL in the subject to encrypt . Never include PHI in the subject of an message. Take extra effort to ensure every electronic mail communication is conducted in a professional, ethical and confidential manner. Double-check the address line (To:, Cc:, Bcc:) before sending a message to ensure you are sending it to the right person who has a need to know. Do not forward electronic mail messages sent to you personally, to others without the permission of the originator. Use a high-level of discretion and obtain supervisor approval before sending a mass mailing externally or internally. Use, Reply when responding to an message. Only use, Reply All when it is truly necessary to all recipients in an distribution group. Delete electronic mail messages when they are no longer required. Only use the LifeWays electronic mail system for business purposes. Do not represent yourself as another person or share electronic mail accounts with colleagues. Include the agency s standard signature block and confidentiality statement for all electronic mail messages. Employee Signature Date If you are in any doubt about an issue affecting the use of electronic mail you should consult Technology Services. Significant breach of the agency s Electronic Mail Acceptable Use Agreement may lead to disciplinary action. Reference: 1 LifeWays Policy Telecommunication Systems LifeWays Operating Procedure Acceptable Use of Information Technology Resources LifeWays Operating Procedure Guidelines and Requirements U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) LW # A 03/01/14

10 Instructions for Changing Your Signature Block in Outlook 1 LifeWays Tech Tip LW # B 12/20/2013

11 Instructions for Changing Your Signature Block in Outlook LW # B 12/20/2013

12 Instructions for Changing Your Signature Block in Outlook 3 LifeWays Standard Signature: First and Last Name, Credentials (if Applicable) Job Title LifeWays Community Mental Health Proudly Serving Jackson & Hillsdale Counties Direct Line 10-Digit Phone Number 10-Digit Fax Number LifeWays Community Mental Health, in partnership with our community and provider network, inspires hope and equips individuals on their journey toward recovery and wellness. Confidentiality Note: The information transmitted is intended for the person or entity to whom or which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is strictly prohibited. If you receive this in error, please notify the original sender immediately by return and delete this message along with its attachments from your computer Complete! LW # B 12/20/2013