Subject Matter Experts. Approval Authority Signed by
|
|
- Molly Thomasine Hodge
- 6 years ago
- Views:
Transcription
1 ARIES User Policy HIV/STD Policy Number HIV/STD Effective Date June 15, 2006 Revision Date July 7, 2010 Subject Matter Experts Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager BVCOG Note: While DSHS has not updated this published document, it is NOT a draft but the policy currently if force. 1.0 Purpose To provide guidance to Administrative Agencies (AA) regarding appropriate user(s) for the AIDS Regional Information and Evaluation System (ARIES) data application. 2.0 Authority Ryan White Care ACT, 2009; Texas Health and Safety Code, Chapter 12, , , Chapter 85, ; Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202, Subchapter C Security Standards for State Agencies; Information Resources Management Act, Texas Government Code Definitions AIDS Regional Information and Evaluation System (ARIES) ARIES is web-based, client-level software that Ryan White and/or State Services HIV Providers use to report all Ryan White and State services provided to Ryan White eligible clients. Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services (DSHS) to manage and distribute federal and state funds to HIV Service Provider(s). Data Managers Staff at the Administrative Agency responsible for providing support to local organizations using ARIES to report their service delivery activities. HIV Service Provider Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV/AIDS. Housing Opportunities for Persons with AIDS (HOPWA) Program HUD's Office of HIV/AIDS Housing manages the HOPWA program in collaboration with 44 state and area CPD offices in providing guidance and program oversight. The Office works with other HUD offices to ensure that all HUD programs and initiatives are responsive to the special needs of people with HIV/AIDS. HOPWA funding provides housing assistance and related supportive services. Ryan White HIV/AIDS Program Program authorized in 1990 and administered by the U.S. Department of Health and Human Services (HHS), Health Resources and Services Administration (HRSA), HIV/AIDS Bureau (HAB). The program is for those who do not have sufficient health care coverage or financial resources for coping with HIV disease. Federal funds are awarded to agencies HIV/STD Prevention and Care Branch 1
2 HIV/STD located around the country, which in turn deliver care to eligible individuals under funding categories called Parts. 4.0 Policy It is the policy of the DSHS HIV Care Services Group that only users described in this policy will gain access to the ARIES system and data thereby securing, protecting, and maintaining client confidentiality. 5.0 Persons Affected This policy applies to the Administrative Agency Data Managers who grant access to ARIES system. 6.0 Responsibilities 6.1 APPROPRIATE USERS AA data managers will only give access to users working at agencies that receive Ryan White, HOPWA, or State Service funds to provide HIV services. Users should gain access to client-level data only when there is a direct and ongoing need that will improve and benefit client care and services. Access to client-level data may be given to supervisory or program management personnel at a service provider or the AA if the information is necessary for performing oversight of client services (e.g., granting a case management supervisor access to allow for review of case information and notes). 6.2 INAPPROPRIATE USERS An AA data manager must not create users at agencies that are not HIV service providers or grant users access to client-level data through ARIES unless necessary to facilitate delivery of services to the client. AA must not create users whose sole need for access relates to surveillance, research, grant reporting, or other ancillary uses for these data. 6.3 EXCEPTIONS Consideration of users not meeting criteria above will be a case-by-case decision by DSHS. 7.0 Procedures The AA must develop local procedures to implement this policy, and on an annual basis submit it within their Data Improvement Plan for approval to DSHS. Assignment of users permissions and rights must be consistent with ARIES Security Policy guidelines established by DSHS. 8.0 Revision History Date Action 06/25/2006 Original policy 07/07/10 Policy renumbered; expanded the definitions section and deleted sections relating to security (see ARIES security policy) HIV/STD Prevention and Care Branch 2
3 HIV/STD Policy Number Effective Date August 18, 2010 ARIES Security Policy Revision Date August 18, 2010 Subject Matter Expert Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager 1.0 Purpose This policy defines security standards for protecting the confidential information collected and maintained in ARIES by the HIV/STD program associated with HIV Care Services Data Group. This policy addresses the administrative, physical, and technical safeguards for the security of ARIES and confidentiality of client information. This policy describes the actions required of the Texas Department of State Health Services (DSHS) HIV/STD Program, Administrative Agencies, and service provider agencies which handle confidential client information collected and reported through ARIES. This policy also outlines procedures for data managers to use when authorizing, assigning roles, rights, and permissions to users, securing data and systems physically, as well as electronically. 2.0 Background In fulfilling its mission to facilitate and assess need for HIV services, the DSHS HIV/STD program, its contractors and external partners obtain confidential information regarding individuals they serve. These individuals trust that the HIV/STD program will take every precaution to protect that information in order to ensure their confidentiality. The HIV/STD program and Administrative Agency must be vigilant in maintaining the integrity of the system (ARIES) that contain this confidential information. 3.0 Authority Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C; Texas Government Code 2054, Information Resources Management Act 4.0 Definitions Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services to manage and distribute federal and state funds to HIV Service Provider(s) AIDS Regional Information and Evaluation System (ARIES) Web-based, client-level software that Ryan White and State Services HIV Providers use to report all Ryan White and State Services provided to Ryan White eligible clients. Authorized User Individuals employed by an Administrative Agency or service provider, who in order to carry out their assigned duties have been granted access to confidential information. Breach of Confidentiality A breach of protocol that results in the improper disclosure of confidential information: 1) accidentally or purposefully released verbally, electronically, or by paper medium, to an entity or person that by law does not have a right or need to know, or 2) purposefully accessed either in person or electronically by an entity or person that by law does not have a right or need to know. HIV/STD Prevention and Care Branch 1
4 HIV/STD Breach of Protocol A departure from the established policies and procedures that may result in the improper disclosure of confidential information; an infraction or violation of a standard or obligation; this includes any unauthorized use of data, including de-identified data. Advanced Encryption Standard The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data. Confidential Information Any information which pertains to a patient that is intended to be kept in confidence or secret which if released could result in the identification of the patient. Confidentiality The ethical principle or legal right patients and research participants have that ensures their confidential information is protected from unauthorized disclosure by physicians, other health professionals or researcher with whom they have share this information. Data Managers Staff at the Administrative Agency responsible for providing support to local organizations using ARIES to report their service delivery activities. Encryption The manipulation or encoding of information so that only parties intended to view the information can do so. There are many ways to encrypt information; most commonly available systems involve public key and symmetric key cryptography. Local Responsible Party (LRP) An individual who accepts responsibility for implementing and enforcing ARIES security and confidentiality polices and procedures and has the responsibility of reporting and assisting in the investigative breach process. Negligence Negligence is the failure to use reasonable care. It is the failure to do (or not to do) something that a reasonably prudent person would do (or not do) under like circumstances. A departure from what an ordinary reasonable member of the community would do in the same community. Negligence is a 'legal cause' of damage if it directly, and in natural and continuous sequence, produces or contributes substantially to loss, injury, or damage, so it can reasonably be said that if not for the negligence, the loss, injury, or damage would not have occurred. Password Protected When files and directories are password protected from unauthorized access, a personal identifier and password must be entered by requiring users before access is allowed. Personal Identifier A datum or collection of data which allows the possessor to determine the identity of a single individual with a specified degree of certainty; a personal identifier may permit the identification of an individual within a given database. Bits of data, when taken together, may be used to identify an individual. Personal identifiers may include name, address or place of residence, social security number, telephone number, fax number, and exact date of birth. Protected Health Information (PHI) Any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIV/STD Prevention and Care Branch 2
5 HIV/STD Removable Storage Device A device that allows for the transportation of electronic information; there are many types including, but not limited to: USB port flash drives (memory sticks), diskettes, CD-ROMS, zip disks, tapes, smart cards, and removable hard drives. Secured Area A confined physical space within the AA or service provider agency where ARIES data and information are located with entry limited to staff with authorized access. Secured Socket Layers A cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message and allows a secure connection between a client and a server, over which any amount of data can be sent securely. Security The protection of surveillance data and information systems, for the purposes of (1) preventing unauthorized release of identifying surveillance information or data from the systems (e.g., preventing a breach of confidentiality) and (2) protecting the integrity of the data by preventing accidental data loss or damage to the systems. Security includes measures to detect, document, and counter threats to the confidentiality or integrity of the systems. Service Provider Agency Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV/AIDS. Service Provider Agencies are required to enter relevant data into ARIES per their contractual agreement with the AA. Suspected Breach An alleged infraction or violation of a standard that may result in unauthorized disclosure of confidential information. Wi-Fi (Wireless Fidelity) Refers to wireless network components that are based on one of the Wi-Fi Alliance's standards. The Wi-Fi Alliance created the standard so that manufacturers can make wireless products that work with other manufacturers' equipment. This equipment uses high-frequency radio waves rather than wires to communicate. Wi-Fi is commonly used to wirelessly access the Internet or a local network. 5.0 Policy It is the policy of DSHS HIV Care Services that ARIES and the information collect in ARIES is protected and maintained to ensure patient confidentiality. 6.0 Persons Affected/Applicability This policy applies to all Administrative Agency data managers and other ARIES authorized users who could potentially view and/or have access to ARIES and confidential information. 7.0 Responsibilities AA data managers must ensure all users are authorized and that each authorized user has the correct permissions within the system. For example, users who do not need to see medical or risk information should not be given rights to those screens. The data manager must limit access to ARIES data through assignment of user permissions HIV/STD Prevention and Care Branch 3
6 HIV/STD appropriate for a user s role. In addition, AA data manager must maintain a list of ARIES users, monitor user rights on a quarterly basis or when an employee changes position and make appropriate changes as needed. The data manager at the Administrative Agency is the Local Responsible Party (LRP) and is responsible for ensuring that an individual is designated as an LRP at each service provider site. Internally, at DSHS, the HIV/STD Comprehensive Services Branch Manager is designated as the LRP. The LRP will be responsible for implementing and enforcing security and confidentiality polices and procedures and for investigating suspected breaches. Only DSHS and AA data managers have rights to ARIES Report/Export. The AA data managers must not grant ARIES Report/Export rights to any other users. The AA data managers must not grant unnecessary access to users within ARIES to run reports and export data. AA data managers are responsible for ensuring that authorized users understand: ARIES users are individually responsible for ensuring that the confidential information they work with is protected. This responsibility includes protecting all passwords, keys, and codes that enable access to confidential information; ARIES users are responsible for reporting possible security risks to the LRP; ARIES users are individually responsible for protection of his/her own desk/work area, workstation, laptops or other devices associated with confidential information; ARIES users are responsible for challenging and reporting those persons who are not authorized to access confidential information; Confidential information gained in the course of work activity will not be divulged to unauthorized persons; and Upon resignation or termination, all confidential information and keys or devices that enable access to physical and electronic locations where confidential information may be stored must be returned to his/her immediate supervisor. 8.0 Procedures 8.1 Procedures for AA Data Managers The AA data managers must develop local policy and procedures to implement this policy including those associated with authorization of users and authorization of user permissions according to role. Additionally, AA data managers must also develop plans for how they will ensure that ARIES user and security policies are followed by AA staff, service provider agencies, and subcontracting personnel who use ARIES. AA data managers make certain: Each user has an individual login and security certificate, no login names or certificates can be shared, nor should generic login names be created. All users prior to being given access to ARIES successfully complete confidentiality and security training, sign a confidentiality agreement that affirms individual responsibility for keeping client information and data confidential, and sign an assurance that they have reviewed security policies and procedures relevant to their position. The confidentiality and assurance agreements must be signed annually. The original must be stored in the employee s personnel file and a copy must be maintained by the employee. The date(s) of the training(s) must be documented in the employee s personnel file. HIV/STD Prevention and Care Branch 4
7 HIV/STD Revoke the user s rights within the ARIES system and contact DSHS staff by telephone and to revoke user rights immediately after a user leaves employment or no longer requires access to ARIES. 8.2 Procedures for ARIES Data Requests Releases of electronic client level data files to third parties for grant development, research, needs assessment, creation of reports or any other purpose must not be made without DSHS approval, and DSHS reserves the right to require that the party requesting the data submit the request to DSHS Institutional Review Board if the request appears to be related to research or includes a request for the release of client identifying information. Routine requests for utilization reports and aggregate profiles of clients served from staff other than funded providers or AA staff may be released without consultation with DSHS. However, aggregate profiles of client characteristics that include cross-tabulated tables with cells that contain fewer than 10 clients should be released only after such cells have been redacted and replaced with a mark indicating a small cell count precludes inclusion of the specific figure. 9.0 Physical Security 9.1 Building Security All confidential information must be maintained in a secure area. No remote access is allowed. A secure area is an area that is protected by at least one level of physical security, although it is preferable that such information be maintained behind two levels of physical security. Examples of physical security levels include a secured access card reader, locked door or a security guard. The physical security of the building containing the confidential information must be approved by both the provider LRP and the AA data manager. 9.2 Computer Workstations All computer workstations with access to ARIES data must be physically located in a secure area. No laptops or other portable computing devices can be programmed to have ARIES access without DSHS approval and only if they abide by 12.0 & 12.1 in this document. Workstations with access to ARIES must be password protected at the Windows login level and have a password protected screensaver program installed and activated. The screensaver should be set to automatically activate in 5 minutes or less when the workstation is not in active use. Passwords must comply with DSHS-published password guidelines found at: Computer passwords are unique to the authorized user and must not be shared with others. If a password s security is in doubt, it must be changed immediately. Authorized users are responsible for locking computer workstations (Ctrl/Alt/Delete - Lock Workstation) when a workstation is left unattended. No one should access a computer or network using another person s access without written authorization. Computer screens must not be readily observable by non-authorized users as they pass through the office area or approach reception desk. Security HIV/STD Prevention and Care Branch 5
8 HIV/STD screens may be installed on computer monitors to prevent viewing of information on the computer screen by anyone other than authorized user. ARIES must not be accessed or worked with on any computer that is not secure. This includes no remote access such as Go To My PC or VPN Any client-level information or aggregate reports which could potential identify a client should not be transmitted by . Protected Health Information can be ed via an attachment that is encrypted and password protected as long as the password is delivered through a phone call or in a separate that does not contain any identifying information or the words HIV and/or AIDS. If a client or provider s about their specific case, it is best practice to the person back and ask them to call the provider directly. Staff should not include any identifiers within the that pertain to HIV or AIDS, such as the program name or descriptions within their signature block Handling Electronic Data 11.1 Electronic Data Access Access to ARIES will only be granted as defined in the user policy. ARIES may be accessed solely by the person whose name is on the ARIES certificate used. Logins and certificates will be approved only for individual users; no generic or shared logins will be approved. Certificates will not be installed on roaming Windows profiles. Network drives containing confidential information must have controls in place that enable access to only authorized users. Staff may not attempt to access any data, program, or system for which they do not have approved authorization Electronic Data Transmission Only DSHS and AA data managers have rights to ARIES Report/Export. AA data managers must not grant ARIES Report/Export rights to any other users. AA data managers must ensure and monitor confidential data exported for the purpose of evaluation, monitoring, or quality assurance by the submitting agency or the AA are physically and electronically secure and disposed of properly. Exported confidential information for the purpose of evaluation, monitoring, or quality assurance with the AA or the submitting agency must not be taken to private residence unless specific permission has been granted by the state LRP. Likewise, remote access of a work computer from home in order to access ARIES is prohibited Removable, External Storage Devices All staff authorized to access confidential information must be individually responsible for protecting their assigned portable devices including, but not limited to: PDA, blackberries, cell phones, flash drives, diskettes, CD-ROMS, zip disks, tape backups, removable hard drives, smart cards, and/or GPS systems. HIV/STD Prevention and Care Branch 6
9 HIV/STD Laptops Laptops used as work computer fall under the same confidentiality and security guidelines as indicated under section 10.0 Physical Security. ARIES security certificates will be installed on laptop computers only with DSHS approval and under the following requirements: There is a signed ARIES Laptop Agreement that can be obtained from AA; DSHS approves the signed agreement; The laptop user has a separate signed statement indicating receipt and understanding of laptop agreement/requirements; The laptop is docked; The laptop does not leave the office; and The laptop does not have a wireless Internet connection Removable Storage Devices All confidential information placed on a removable storage device must be encrypted using encryption software meeting Federal Information Processing Standards (FIPS) for the Advanced Encryption Standard (AES), FIPS- 197, and password protected. Passwords must be stored separately from the device. When taking confidential data stored in removable storage devices from one secure area to another secure area, data must be encrypted, minimized to the essential data required, and stored on devices that are kept secure. Any removable storage device containing confidential information is to be stored following the physical and electronic standards of this document. Removable storage devices containing confidential information must not be taken to a private residence unless specific permission has been granted by the state LRP. Acceptable methods of sanitizing diskettes and other storage devices that previously contained sensitive data include overwriting or degaussing (demagnetizing) before reuse. Alternatively, the diskettes and other storage devices may be physically destroyed (e.g., by incineration, shredding). Such physical destruction would include the device, not just the plastic case around the device Personal Storage Devices (PDA)/Blackberries/Cell Phones PDA, Blackberries or cell phones will not be used to access, store or transmit confidential information Evolving Technology If the security guidelines specified in this policy do not cover evolving technology, it is the responsibility of the AA data managers or service provider LRP to seek the guidance of DSHS Revision History Date Action Section August 18, 2010 This is a new policy all HIV/STD Prevention and Care Branch 7
10
11 ARIES Data Managers Core Competencies HIV/STD Policy Number HIV/STD Effective Date March 27, 2000 Revision Date August 18, 2010 Subject Matter Experts Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager 1.0 Purpose Although the ARIES is centralized, the Department of State Health Services (DSHS) directs local Administrative Agencies to maintain on staff local data managers who are to train and assist local users and assure the quality and use of the data in ARIES. This policy establishes ARIES Data Manager Core Competencies. These core competencies are intended to provide guidance on the required activities and standards and the knowledge, skills, and abilities needed in a local ARIES data manager. Additionally, core competencies were developed to enhance the quality and utility of data entered onto and retrieved from the AIDS Regional Information and Evaluation System (ARIES). 2.0 Authority Ryan White Care ACT, 2009; Texas Health and Safety Code (HSC) ; HSC ; HSC ; HSC ; Texas Administrative Code, chapter 25, Definitions AIDS Regional Information and Evaluation System (ARIES) ARIES is web-based, client-level software that Ryan White and State Services HIV Providers use to report all Ryan White and State Services provided to Ryan White eligible clients Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services (DSHS) to manage and distribute federal & state funds to HIV Service Providers Data Managers Staff at the Administrative Agency responsible for providing support to local organizations using ARIES to report their service delivery activities HIV Service Provider Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV/AIDS Ryan White HIV/AIDS Program Program authorized in 1990 and administered by the U.S. Department of Health and Human Services (HHS), Health Resources and Services Administration (HRSA), HIV/AIDS Bureau (HAB). The program is for those who do not have sufficient health care coverage or financial resources for coping with HIV disease. Federal funds are awarded to agencies located around the country, which in turn deliver care to eligible individuals under funding categories called Parts. HIV/STD Prevention and Care Branch 1
12 HIV/STD Policy It is the policy of DSHS that AA data managers are required to perform certain activities and possess certain knowledge, skills, and abilities which includes but is not limited to managing and overseeing data collecting, reporting, and the Uniform Reporting System ARIES. 5.0 Persons Affected This policy applies to the Administrative Agencies and the AA data managers. 6.0 AA Core Competencies 6.1 Competency in Developing Local Policy and Procedures The AA data managers must develop local policy and procedures to implement all policies relating to ARIES and the data collected through ARIES. The local level includes AA staff, service provider agencies, and subcontractors. 6.2 Competency in Providing Training and Technical Assistance AA data managers must: provide effective ARIES training and technical assistance to staff at AA and service provider agencies who use ARIES; consult with ARIES personnel at DSHS for assistance on complex technical questions and relay information to local users; provide presentations, briefings and training sessions on ARIES operations for subcontractors and in-house personnel; and ensure ARIES computers meet or exceed necessary software and hardware requirements for current and future needs. 6.3 Competency in Establishing Local Physical & Electronic Security Data managers must ensure the physical and electronic security is maintained at a local level as set forth in DSHS ARIES User Policy and ARIES Security Policy. The AA data managers must develop local policy and procedures to implement DSHS ARIES User Policy and ARIES Security Policy. AA data managers must also develop plans for how they will ensure that ARIES user and security policies are followed by AA staff and service provider agencies. 6.4 Competency in Data Quality Monitoring and Improvement AA data managers must ensure data entered into ARIES must be of high quality as established in DSHS Data Improvement Plans Policy. The AA data managers must develop local policy and procedures to implement DSHS ARIES Data Improvement Plans. ARIES data managers must monitor the completeness, accuracy and timeliness of ARIES data for the AA overall and for each individual service provider and the completeness of aggregate and client-level reports required by HRSA. In addition, data managers are responsible for preparing the Data Improvement Plan, which sets goals for improvement and maintenance of ARIES data quality. HIV/STD Prevention and Care Branch 2
13 HIV/STD Competency in Providing Data-Driven Strategic Support Work with AA staff to determine the information needed to support AA decision making and contract monitoring. Develop a set of standard and customized reports and queries to provide this information, agree upon an internal schedule for the production of these reports, and implement that schedule. This may require using software outside of ARIES to produce the requested data. Provide assistance in interpretation of these reports as necessary. The data manager must ensure that providers enter data for aggregate and client-level reports required by HRSA each year. HRSA-required aggregate-level and client-level data reports must be submitted to DSHS 15 business days prior to the grantee submission deadline. 7.0 Revision History Date Action 03/27/2000 Original policy /18/2010 Policy renumbered; expansion of definitions section; outline of the five core competency areas HIV/STD Prevention and Care Branch 3
14
15 ARIES Data Improvement Plan Policy Number HIV/STD Effective Date August 18, 2010 Revision Date August 18, 2010 Subject Matter Expert Approval Authority Signed by Services Data Internal Workgroup HIV Care Services Group Manager 1.0 Purpose This policy provides guidance to Administrative Agencies (AA) regarding requirements for the annual submission of an ARIES (AIDS Regional Information and Evaluation System) Data Improvement Plan (DIP). 2.0 Background ARIES was created to facilitate reporting of information on the delivery of HIV medical and psychosocial supportive services by agencies receiving Ryan White and State Services funds. As a condition of their grant awards, Ryan White HIV/AIDS Program grantees are required to report data on clients, services provided, and expenditures. In order for these data to be useful to planners, monitors, evaluators, and policy makers, the data must be of high quality. The Department of State Health Services (DSHS) HIV Care Services Group must ensure Administrative Agencies ARIES data entries are timely, complete, and accurate. 3.0 Authority Ryan White Care ACT, 2009; Texas Health and Safety Code, Chapter 12, , , Chapter 85, Definitions Administrative Agency (AA) Entity under contractual agreement with the Department of State Health Services to manage and distribute federal and state funds to HIV Service Provider Agencies AIDS Regional Information and Evaluation System (ARIES) Web-based, client-level software that Ryan White and/or State Services HIV Providers use to report all Ryan White and State services provided to Ryan White eligible clients. Assessment of Accuracy of Reports A systematic and routine assessment of the degree to which ARIES entries are valid, and reflect actual services, costs, client characteristics, and health status indicators. Assessment of Completeness of Reports Routine examination of client records within ARIES to assure all applicable required fields have entries. Breach of Confidentiality A breach of protocol that results in the improper disclosure of confidential information. The result is confidential information being: 1) accidentally or purposefully released verbally, electronically, or by paper medium, to an entity or person that by law does not have a right or need to know, or 2) purposefully accessed either in person or electronically by an entity or person that by law does not have a right or need to know. HIV/STD Prevention and Care Branch 1
16 HIV/STD Eligible Reporting Scope Ryan White HIV/AIDS program data that includes all clients receiving services eligible to be paid for with Ryan White HIV/AIDS program funds, regardless of whether Ryan White HIV/AIDS Program funds were actually used to pay for the services. Fee for Service Fee-for-service is a standard business model where services are unbundled and paid for separately. Providers are paid a specified amount for each service provided. Funding Stream A source of available funds for client services associated with a contract. Health Resources and Services Administration (HRSA) An agency of the U.S. Department of Health and Human Services is the primary Federal agency for improving access to health care services for people who are uninsured, isolated or medically vulnerable. Service Provider Agency Organization(s) under contractual agreement with AA to provide HIV-related medical and psychosocial support services to person(s) living with HIV. Service Provider Agencies are required to enter relevant data into ARIES per their contractual agreement with the AA. 5.0 Policy It is the policy of DSHS HIV Care Services that each AA must submit, implement, and report progress towards DIP goals. 6.0 Responsibilities ARIES data managers must monitor the completeness, accuracy and timeliness of ARIES data for the AA overall and for each individual service provider and the completeness of aggregate and client-level reports required by HRSA. In addition, data managers are responsible for preparing the Data Improvement Plan, which sets goals for improvement and maintenance of ARIES data quality. The DIP is submitted by April 1 of every year to DSHS HIV Care Services Group. Additionally, the AA must implement the DIP and report progress towards goals by submitting quarterly updates to DSHS HIV Care Services Group as outlined in the contract. DSHS must approve each AA s DIP. 7.0 Procedures The AA must develop local procedures to implement this policy. 8.0 DIP Requirements The DIP should include: 1. A plan and implementation for providing training to contracted service providers as well as AA staff; 2. Description of procedures for receiving and responding to requests for technical assistance associated with ARIES; 3. Plans for site visits and data quality audits, including a description of the methods to be used at audits; 4. Plans for routinely assessing the following domains of data quality: Timeliness of ARIES data entry; Validity of ARIES data; Completeness of ARIES data; and Completeness of aggregate and client-level reports required by HRSA. 5. Identification of areas needing improvement relating to data quality and establishment of goals for improvement of data quality in any or all of the above HIV/STD Prevention and Care Branch 2
17 HIV/STD domains. When setting goals for areas not meeting minimum data quality requirements set forth in this policy, the DIP should establish progressively increasing goals aimed at meeting the minimum requirements. 6. Data managers are required to maintain minimum data quality requirements in areas where minimum requirements are already being met. The DIP should include an acknowledgement and commitment towards maintaining minimum data quality requirements for areas where minimum requirements are already being met. 9.0 Data Quality Minimum Requirements Establishing DIP goals requires data managers to continuously monitor ARIES data for the overall AA and for each service provider agency. Each service provider agency is required to submit data into ARIES for clients as defined by HRSA eligible reporting scope. Data managers may focus improvement efforts for the domains of data quality on selected service providers with deficiencies or across service providers on selected fields to achieve improvements data quality. Each AA s plan for routinely assessing the domains of data quality must include the following types of monitoring and assessment for DSHS and HRSA required data elements: 1. Timeliness of ARIES Data Entry Data managers must routinely assess the timeliness of ARIES data entry, and work with HIV service providers with consistently late entries to improve timeliness. Entries associated with medications, ambulatory/outpatient medical care and laboratory services, including the cost for these services, must be entered within 30 days of the date of the service/encounter. Client descriptive information and information associated with other service entries, including cost of service, must be entered into ARIES within 5 business days from date of service/encounter. 2. Validity of ARIES Data Data managers must verify the information in randomly selected ARIES records against documentation/records available at the service site on at least an annual basis. A random sample selection of ARIES records must consist of 10% or at least 10 records within a specified review period. This should include validating the information on services delivered and values of health indicators, such as CD4 and viral load test reports, if included in the record. The methods and schedule for conducting audits must be specified by the AA in the DIP, which may be satisfied through reference to written policy or procedure at the AA. 3. Completeness of ARIES data: A) Missing/Unknown Data DSHS and HRSA required data elements must not contain more than 5 percent missing or unknown. Data managers must ensure integrity of ARIES data by analyzing unknown, missing, invalid data fields by running reports and evaluating data entry procedures at HIV service providers. DSHS and HRSA required data elements must not contain more than 5 percent missing or unknown. HIV/STD Prevention and Care Branch 3
18 HIV/STD B) Duplicate Client In order to avoid creating duplicate clients, data managers should ensure that all fields used to construct the Unique Record Number (URN) and extended URN have no missing values in order to avoid duplicated clients. Data managers must routinely assess degree of duplication within client records and work with DSHS to assure that known duplicate client records and entries are eliminated from the system or merged across records. C) Cost Reporting The ARIES data manager must ensure that all service entries have a cost in the cost field for service entries. These costs can be based on fee for service, unit cost or a good faith cost calculation. AA must provide guidance and technical assistance to service providers to assure that services reported within ARIES are attributed appropriately to the various funding streams available for services. This is especially important when multiple funding streams are available to support the delivery of any one service within a service provider. 4. Completeness of RDR and RSR Annual Performance Reports Data managers must notify service providers of the requirement to report all eligible services reported for all eligible clients and assess conformity to this requirement (eligible reporting scope) DIP Quarterly Updates Progress reports should include an outline of the method and timeline to address and resolve identified areas needing improvement each quarter. After DSHS provides the AA data managers with written feedback regarding its quarterly DIP performance, the AA must provide a response in written format to DSHS within 10 days of receiving DSHS feedback Revision History Date Action Section July 7, 2010 This is a new policy all HIV/STD Prevention and Care Branch 4
Employee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More information2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY
2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY Purpose: The purpose of this policy is to provide instruction and information to staff, auditors, consultants, contractors and tenants on
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationHIPAA Federal Security Rule H I P A A
H I P A A HIPAA Federal Security Rule nsurance ortability ccountability ct of 1996 HIPAA Introduction - What is HIPAA? HIPAA = The Health Insurance Portability and Accountability Act A Federal Law Created
More informationTIME SYSTEM SECURITY AWARENESS HANDOUT
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/16/2017 2018 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationInformation Technology Standards
Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationWASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information
WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7 Appropriate Methods of Communicating Protected Health Information Statement of Policy Washington University and its member organizations (collectively, Washington
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Removable Storage Media Security Standard This standard is applicable to all VCU School of Medicine personnel.
More informationLet s get started with the module Ensuring the Security of your Clients Data.
Welcome to Data Academy. Data Academy is a series of online training modules to help Ryan White Grantees be more proficient in collecting, storing, and sharing their data. Let s get started with the module
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationUWTSD Group Data Protection Policy
UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful
More informationSample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.
Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited. SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring
More informationHIPAA and HIPAA Compliance with PHI/PII in Research
HIPAA and HIPAA Compliance with PHI/PII in Research HIPAA Compliance Federal Regulations-Enforced by Office of Civil Rights State Regulations-Texas Administrative Codes Institutional Policies-UTHSA HOPs/IRB
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationGM Information Security Controls
: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationSubject: Kier Group plc Data Protection Policy
Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationEnviro Technology Services Ltd Data Protection Policy
Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More informationMinnesota CAREWare. The Basics
Minnesota CAREWare The Basics Updated June 2014 Index Technical Assistance/Help... 1 What is CAREWare?... 2 Overview of CAREWare... 2 How CAREWare Data Will Be Used... 2 Safeguarding Client Confidentiality...
More informationGuide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com
: HIPPA Compliance GoToMyPC Corporate HIPAA Compliance Privacy, productivity and remote access 2 The healthcare industry has benefited greatly from the ability to use remote access to view patient data
More informationInformation Handling and Classification Table
Information Handling and Classification Table Title: Information Classification and Handling Table Reference: IS-07a Status: Approved Version: 1.2 Date: March 2018 Classification: Non-Sensitive/Open Author(s)
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationCOMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy
COMPUTER & INFORMATION TECHNOLOGY CENTER Information Transfer Policy Document Controls This document is reviewed every six months Document Reference Document Title Document Owner ISO 27001:2013 reference
More informationINFORMATION ASSET MANAGEMENT POLICY
INFORMATION ASSET MANAGEMENT POLICY Approved by Board of Directors Date: To be reviewed by Board of Directors March 2021 CONTENT PAGE 1. Introduction 3 2. Policy Statement 3 3. Purpose 4 4. Scope 4 5 Objectives
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationFederal Breach Notification Decision Tree and Tools
Federal Breach Notification and Tools Disclaimer This document is copyright 2009 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More informationMedia Protection Program
Media Protection Program Version 1.0 November 2017 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 PROGRAM DETAILS 4 3.2 MEDIA STORAGE AND ACCESS 4 3.3 MEDIA TRANSPORT
More informationHIPAA Security Manual
2010 HIPAA Security Manual Revised with HITECH ACT Amendments Authored by J. Kevin West, Esq. 2010 HALL, FARLEY, OBERRECHT & BLANTON, P.A. DISCLAIMER This Manual is designed to set forth general policies
More informationSupport for the HIPAA Security Rule
white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationCell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.
Cell Phone Policy 1. Purpose: Establish a policy for cell phone use and compensation allowance. 2. Authority: The Clinton County Board of Commissioners. 3. Application: This Cell Phone Policy (the Policy)
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationHIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012
HIPAA Privacy and Security Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012 Goals and Objectives Course Goal: Can serve as annual HIPAA training for physician practice
More informationTerms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.
Medical Privacy Version 2018.03.26 Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a Covered Entity
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationData protection policy
Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationData Protection Policy
Data Protection Policy Status: Released Page 2 of 7 Introduction Our Data Protection policy indicates that we are dedicated to and responsible of processing the information of our employees, customers,
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationGeneral Information System Controls Review
General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County
More informationEnterprise Income Verification (EIV) System User Access Authorization Form
Enterprise Income Verification (EIV) System User Access Authorization Form Date of Request: (Please Print or Type) PART I. ACCESS AUTHORIZATION * All required information must be provided in order to be
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationLakeshore Technical College Official Policy
Policy Title Original Adoption Date Policy Number Information Security 05/12/2015 IT-720 Responsible College Division/Department Responsible College Manager Title Information Technology Services Director
More informationTimber Products Inspection, Inc.
Timber Products Inspection, Inc. Product Certification Public Document Timber Products Inspection, Inc. P.O. Box 919 Conyers, GA 30012 Phone: (770) 922-8000 Fax: (770) 922-1290 TP Product Certification
More informationBeam Technologies Inc. Privacy Policy
Beam Technologies Inc. Privacy Policy Introduction Beam Technologies Inc., Beam Dental Insurance Services LLC, Beam Insurance Administrators LLC, Beam Perks LLC, and Beam Insurance Services LLC, (collectively,
More informationUse of data processor (external business unit)
Published with the support of: Code of conduct for information security www.normen.no Use of data processor (external business unit) Supporting document Fact sheet no 10 Version: 4.0 Date: 12 Feb 2015
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationWireless Communication Device Policy Policy No September 2, Standard. Practice
Standard This establishes the business need and use of cellular phones (hereinafter referred to as wireless communication devices ) as an effective means of conducting City of Richland business, and to
More informationThe Data Protection Act 1998 Clare Hall Data Protection Policy
The Data Protection Act 1998 Clare Hall Data Protection Policy Introduction This document is a guide to the main requirements of the new Data Protection Act (DPA) that came into force on 24th October 2001.
More informationData protection. 3 April 2018
Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd
More informationLesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)
Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA) Introduction: Welcome to Honesty and Confidentiality Lesson Three: The False Claims Act is an important part
More informationRegulation P & GLBA Training
Regulation P & GLBA Training Overview Regulation P governs the treatment of nonpublic personal information about consumers by the financial institution. (Gramm-Leach-Bliley Act of 1999) The GLBA is composed
More informationAugust 2, 2004 Ohio Balance of State Homeless Management Information System (OBOSHMIS) Policy and Procedures Manual
August 2, 2004 Ohio Balance of State Homeless Management Information System (OBOSHMIS) Policy and Procedures Manual 1. Roles and Responsibilities HMIS Coordinator and System Administrator HMIS Support
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationFLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM
FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM END USER SECURITY POLICY MANUAL 1 INTRODUCTION... 3 2 INFORMATION USAGE AND PROTECTION... 3 2.2 PROTECTED HEALTH INFORMATION...
More informationNorth Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex
North Carolina Health Information Exchange Authority User Access Policy for NC HealthConnex North Carolina Health Information Exchange Authority User Access Policy for NC HealthConnex Introduction The
More informationUNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017
UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017 I. Introduction Institutional information, research data, and information technology (IT) resources are critical assets
More informationFerrous Metal Transfer Privacy Policy
Updated: March 13, 2018 Ferrous Metal Transfer Privacy Policy Ferrous Metal Transfer s Commitment to Privacy Ferrous Metal Transfer Co. ( FMT, we, our, and us ) respects your concerns about privacy, and
More informationApplication Guideline for BOP/Volume Zone Business Support Coordinator UZBEKISTAN in FY 2015
Application Guideline for BOP/Volume Zone Business Support Coordinator UZBEKISTAN in FY 2015 April 7, 2015 Manabu Shimoyashiro President Director JETRO Tashkent The Japan External Trade Organization, JETRO
More informationRed Flags Program. Purpose
Red Flags Program Purpose The purpose of this Red Flags Rules Program is to document the protocol adopted by the University of Memphis in compliance with the Red Flags Rules. Many offices at the University
More informationGramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 11/30/2016 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationEmsi Privacy Shield Policy
Emsi Privacy Shield Policy Scope The Emsi Privacy Shield Policy ( Policy ) applies to the collection and processing of Personal Data that Emsi obtains from Data Subjects located in the European Union (
More informationSurvey on Patient Safety Culture Database Data Use Agreement
Survey on Patient Safety Culture Database Data Use Agreement Instructions 1. Westat has pre-signed this Data Use Agreement (DUA) in its current form. Any changes or modifications to the DUA other than
More informationInformation Security Policy for Associates and Contractors
Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationChapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017
Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017 Copyright 2017 International Finance Corporation. All rights reserved. The material in this publication is copyrighted by International
More informationHIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA Privacy & Security Training HIPAA The Health Insurance Portability and Accountability Act of 1996 AMTA confidentiality requirements AMTA Professional Competencies 20. Documentation 20.7 Demonstrate
More informationInstitute of Technology, Sligo. Information Security Policy. Version 0.2
Institute of Technology, Sligo Information Security Policy Version 0.2 1 Document Location The document is held on the Institute s Staff Portal here. Revision History Date of this revision: 28.03.16 Date
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationPolicy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy
Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationPrivacy Shield Policy
Privacy Shield Policy Catalyst Repository Systems, Inc. (Catalyst) has adopted this Privacy Shield Policy ("Policy") to establish and maintain an adequate level of Personal Data privacy protection. This
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationNebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015
Nebraska State College System Cellular Services Procedures Effective Date June 15, 2012 Updated August 13, 2015 Definitions Cellular Telephone Service For the purposes of this policy, cellular telephone
More informationDepartment of Public Health O F S A N F R A N C I S C O
PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other:
More informationProtecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors
Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors Presented by the Office of Housing Counseling and The Office of the Chief Information Officer Privacy Program
More information