FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

Similar documents
Virginia Commonwealth University School of Medicine Information Security Standard

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Enterprise Income Verification (EIV) System User Access Authorization Form

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Security and Privacy Breach Notification

Putting It All Together:

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Website Privacy Policy

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Federal Security Rule H I P A A

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

Employee Security Awareness Training Program

University of Wisconsin-Madison Policy and Procedure

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Customer Proprietary Network Information

IMPORTANT INSTRUCTIONS:

Department of Public Health O F S A N F R A N C I S C O

Privacy Policy. Effective date: 21 May 2018

Subject: University Information Technology Resource Security Policy: OUTDATED

TIME SYSTEM SECURITY AWARENESS HANDOUT

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

HIPAA Security and Privacy Policies & Procedures

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Orange County EMT Accreditation Application

eprost System Policies & Procedures

QNB Bank-ONLINE AGREEMENT

Privacy Policy on the Responsibilities of Third Party Service Providers

ecare Vault, Inc. Privacy Policy

Texas Education Agency

Data Use and Reciprocal Support Agreement (DURSA) Overview

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Checklist: Credit Union Information Security and Privacy Policies

Acceptable Use Policy

Information Security Policy

Information Technology Standards

PayThankYou LLC Privacy Policy

Therapy Provider Portal. User Guide

Florida Health Information Exchange Subscription Agreement for Event Notification Service

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Mobile Application Privacy Policy

Federal Breach Notification Decision Tree and Tools

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

University Policies and Procedures ELECTRONIC MAIL POLICY

COLLECTION & HOW THE INFORMATION WILL BE USED

SIERRA-SACRAMENTO VALLEY EMS AGENCY PROGRAM POLICY REFERENCE NO. 902

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Training Guide for Arkansas Law Enforcement Officers and Licensing Board Representatives

Critical HIPAA Privacy & Security Crossover Areas

COMMENTARY. Information JONES DAY

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

Overview of Presentation

EU Data Protection Agreement

Policies & Regulations

Integrating HIPAA into Your Managed Care Compliance Program

Acceptable Use Policy

HIPAA AND SECURITY. For Healthcare Organizations

Privacy & Information Security Protocol: Breach Notification & Mitigation

Survey on Patient Safety Culture Database Data Use Agreement

Privacy Policy V2.0.1

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

August 2, 2004 Ohio Balance of State Homeless Management Information System (OBOSHMIS) Policy and Procedures Manual

HIPAA Compliance Checklist

HIPAA Compliance & Privacy What You Need to Know Now

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

NYSIF.com Online Account Third-Party Billers.V3

Privacy Breach Policy

Data Backup and Contingency Planning Procedure

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

Information technology security and system integrity policy.

PRIVACY POLICY Let us summarize this for you...

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Terms and Conditions 01 January 2016

TABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII.

University Health Network (UHN)

[DATA SYSTEM]: Privacy and Security October 2013

Virginia Commonwealth University School of Medicine Information Security Standard

Pennsylvania Certification by Endorsement

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA FOR BROKERS. revised 10/17

State of Colorado Cyber Security Policies

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

WEB SITE PRIVACY POLICY

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Mississippi Medicaid. Mississippi Medicaid Program Provider Enrollment P.O. Box Jackson, Mississippi Complete form and mail original to:

UNTITLED HIP HOP PROJECT Privacy Policy. 1. Introduction

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

EXHIBIT A. - HIPAA Security Assessment Template -

GM Information Security Controls

Ohio Supercomputer Center

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

SECURITY & PRIVACY DOCUMENTATION

Transcription:

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM END USER SECURITY POLICY MANUAL

1 INTRODUCTION... 3 2 INFORMATION USAGE AND PROTECTION... 3 2.2 PROTECTED HEALTH INFORMATION... 3 2.3 CONFIDENTIALITY... 3 3 EMSTARS SECURITY... 4 3.2 Data Structure... 4 3.3 AUTHENTICATION... 4 3.4 AUTHORIZATION... 5 3.4.1 SYSTEM ADMIN... 5 3.4.2 DATA ANALYST... 5 3.4.3 KEY USER... 5 3.4.4 PLATINUM REPORTING... 5 3.4.5 GOLD REPORTING... 5 3.4.6 SILVER REPORTING... 6 3.4.7 PUBLIC ACCESS... 6 3.4.8 MULTIPLE AGENCIES... 6 3.5 TRACEABILITY... 6 3.6 USER RESPONSIBILITIES... 6 3.6.1 PASSWORD PROTECTION... 6 3.6.2 ACCESS LOCATIONS... 7 3.6.3 MAINTAINING CONFIDENTIALITY... 7 3.6.4 REPORTING UNAUTHORIZED ACCESS... 7 3.6.5 PENALTIES... 8 2

1 INTRODUCTION The purpose of this reference document is to present the EMSTARS End User Security Policy and its associated procedures. All prospective users of the EMSTARS system must acknowledge receipt and sign the End User Security Policy prior to obtaining access to the system. Additional documentation material may be referenced though out this document and is available as supplemental reference material on the EMSTARS Website. 2 THE END USER SECURITY POLICY 2.2 PROTECTED HEALTH INFORMATION Electronic Protected Health Information (ephi) as defined by HIPAA is securely transmitted to the EMSTARS system from provider agencies across the state. However, this ephi with personal identifiable information on patients is not accessible by unauthorized users and will not be displayed on reports that are generated. 2.3 CONFIDENTIALITY Beyond protected patient information; the EMSTARS system also contains confidential information on Florida s EMS system and the delivery of services by local provider agencies. The information contained within the system and its reports is intended for use by Florida s local and state EMRCs and/or Quality Assurance Committees. Pursuant to 401.425(5) Florida Statutes, the records obtained or produced by the EMRC providing quality assurance activities are exempt from the provisions of 119.07(1) and s. 24(a), Art. I of the State Constitution, and EMRC proceedings and meetings regarding quality assurance activities are exempt from the provisions of s. 286.011 and s. 24(b), Art. I of the State Constitution. Local EMRC and/or Quality Assurance Committees are free to distribute any information regarding their particular agency. However, where system or provider performance information or sensitive performance data is involved, the distribution or sharing of electronic or paper reports with other organizations or public safety entities is strictly prohibited and regulated by DOH. This includes, but is not limited to, city or county government, law enforcement, hospitals, universities or other higher learning institutions, and any organization or person outside the state of Florida and not directly affiliated with Florida s EMS system. The EMS Data Unit will provide information, upon request, to these types of organizations after a state level EMRC review has been completed. The EMRC provides a mechanism for statewide and national EMS data analysis for the purpose of statewide quality improvement. Information provided by Florida EMS agencies through the Emergency Medical Services Tracking and Reporting System (EMSTARS) and other data sources will be collected. The information 3

will be queried including development of the report process as directed by the EMRC. All requests for data must be routed to the EMRC s Bureau of EMS Representative. If an end user is unsure whether or not the information they have downloaded or printed may be distributed, the user must contact the EMS Data Reporting Manager for direction. 3 EMSTARS SECURITY 3.2 Data Structure The EMSTARS system, and access to its data, will be structured in such a way to allow access only to authenticated users and only at authorized permission levels. The EMSTARS web site will be secured with SSL 128-bit encryption. All personal identifiable patient information will be secured in a separate database schema. No end user may access the secured patient data. Most of the data and reports in the system will be aggregated (grouped / summed / sorted) rather than displayed at the record level. It is not the focus of the EMSTARS system and statewide database to provide search or display capabilities for individual incidents or patients. 3.3 AUTHENTICATION The EMSTARS system employs a dual authentication mechanism to grant access to the system. All accounts are created with an Agency ID and password (to associate users to a specific provider agency) and a personal Username and password. The Agency password is maintained by the EMSTARS System Administrator and is provided to each user as applicable. An agency s Key User is the only person that can request new, or modified, user accounts. All account maintenance must be initiated by the Key Users. For new accounts, the individual user passwords are system-generated, random passwords and must be changed by the appropriate user upon initial (or subsequent for a reset) login. As defined below, user passwords must meet minimum complexity requirements; password syntax and thresholds; and must be a combination of 8 or more characters: o There must be at least one numerical character and one alphabetical character o Passwords may also include special symbols (!@#$%^&*( ) { }[ ]<>~ ) o User passwords should not spell any word that appears in the dictionary o User passwords have to be reset at least biannually Accounts are locked out after three unsuccessful login attempts. Only an agency s Key User is allowed to contact the System Administrator to unlock an account. Accounts may also be locked manually by the System Administrator at the request of a Key User. 4

In the event of a lost or compromised password, only an agency s Key User may contact the System Administrator to request a reset. As with the initial setup, a random password is generated by the system and emailed to the user; this password must be changed upon initial login. 3.4 AUTHORIZATION The EMSTARS system employs role based access control to assign permissions to groups of users. The profile to which an end user is assigned is determined by the agency administrator or the EMS Data Manager. 3.4.1 SYSTEM ADMIN These users have access to all application services, all levels of reporting, and all data stored in the system (except ephi as described above); this profile represents the highest level of permissions available. This role resides exclusively within the Bureau s Data Unit. 3.4.2 DATA ANALYST These users have access to all application services and all levels of reporting. This role resides exclusively within the Bureau of EMS, Data Unit. 3.4.3 KEY USER These users have access to application services required for direct communication and interaction with the Bureau of EMS, Data Unit. These permission levels include access to the Security Maintenance components, the XML Upload component for transmitting monthly data files, and the Submissions component to check for records that did not pass content validation and were quarantined. This profile has reporting permissions equivalent to the Platinum Reporting profile described below. At least two users per agency will be granted the Key User role and associated permissions. 3.4.4 PLATINUM REPORTING These users have access to reporting services offered by the application, including the ability to request the generation of custom queries and reports; this profile represents the highest level of secured reporting access and permissions. This profile is targeted towards Key Users and leadership roles within the provider agency such as EMS Chief / Administrator, Medical Directors, and Quality Managers. 3.4.5 GOLD REPORTING These users have access to reporting services offered by the application including the ability to request the generation of custom queries and reports; this profile represents the middle level of secured reporting access and permissions. This profile is targeted towards mid-level management within the provider agency, DOH users external to the Data Unit, and others in the Florida EMS 5

community such as Advisory Council members, EMS Educators, Constituency Presidents, etc. 3.4.6 SILVER REPORTING These users have access to reporting services offered by the application; this profile represents the lowest level of secured reporting access and permissions and no access to custom reporting requests will be granted. These users represent the largest quantity of all the system profiles. This entry-level profile is targeted towards most users across the state including all provider agency staff and other interested members of Florida s EMS community. 3.4.7 PUBLIC ACCESS These users have access only to public reports and information linked to the EMSTARS home page. This access level does not require an account or login and, therefore, does not have access to any of the secured components. 3.4.8 MULTIPLE AGENCIES Users such as a paramedic who works for multiple agencies who require access to multiple agencies will require different personal usernames and passwords as well as the different agency id and password. Users such a Medical Director, Administrator, Quality Manager, or similar position that has oversight authority for multiple agencies must be granted the Platinum Reporting permission level. This permission level gives the user the ability to view multiple agencies with the same personal username and password. These users will still need the different agency ID and password along with their username and password to view all data for that agency. Both these scenarios must follow the authentication process describe in Section 3.3 Authentication of this document. 3.5 TRACEABILITY EMSTARS logs all actions and transactions. This information is used to provide audit ability and traceability for the EMSTARS application. As the EMSTARS system contains confidential and/or exempt information on both patients and provider agencies, any unauthorized access to the system or its assets will be reported to the proper authorities and may result in civil or criminal penalties. 3.6 USER RESPONSIBILITIES The following guidelines must be adhered to by all end users who are authorized to access the EMSTARS system and its reporting resources. 3.6.1 PASSWORD PROTECTION 6

It is the responsibility of all end users to take reasonable steps to safeguard their passwords (agency and user). User passwords must not be shared with any other persons including other users. Agency passwords can be shared only with authorized personnel (EMSTARS end users) within that agency. A user may not offer to allow another user access to the system by using their username and / or password. Sharing of account information is prohibited. 3.6.2 ACCESS LOCATIONS It is the responsibility of all end users to access the secure portion of the EMSTARS system and its assets only from agency-supplied computers. Access from home or from public use computers is prohibited. 3.6.3 MAINTAINING CONFIDENTIALITY It is the responsibility of all end users to ensure that confidential information remains protected and is not distributed to or shared inappropriately. Please refer to the Confidentiality section for a complete explanation of what is, and is not, permitted. End users who encounter any Protected Health Information (PHI), such as personal identifiable data, must report this to the Bureau of EMS, Data Unit. No patient information should be available in the EMSTARS system; however, if this level of information is inadvertently presented within the system, the Bureau of EMS Data Unit must be notified so they can take steps to correct the problem. Additionally, end users shall not attempt to use the EMSTARS data or reports to track or link an individual s data, determine real or likely identities, gain information about an individual, or contact an individual. End users shall not use or further disclose the EMSTARS data or reports except as permitted. Provider agencies shall establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of and to prevent unauthorized use or access to the EMSTARS data or reports. End users shall not release, or allow the release of, the EMSTARS data or reports to any persons or entities other than as permitted and described in the Confidentiality section. Furthermore, where release of EMSTARS data or reports is permitted, end users shall instruct individuals, to which the EMSTARS data or reports are disclosed, of all obligations for their protection and shall require the individuals to maintain those obligations. End users shall secure the EMSTARS data or reports when they are not under the direct and immediate control of an authorized individual performing the functions. 3.6.4 REPORTING UNAUTHORIZED ACCESS End users shall make a good faith effort to identify any misuse or unauthorized disclosure of the EMSTARS data or reports. End users shall notify the Bureau of EMS, Data Unit within twenty-four (24) hours of discovery. Furthermore, any end user who observes, or is made aware of, any unauthorized person attempting to 7

access the EMSTARS system and its assets must report the violation to the Bureau of EMS, Data Unit. 3.6.5 PENALTIES End users acknowledge that failure to abide by the terms of the End User Security Policy may be subject to penalties for wrongful disclosure of protected health information under federal law. End users shall inform all persons, with authorized access to the EMSTARS data or reports specified, of the penalties for wrongful disclosure of protected health information. 8

The security and protection of patient and EMS provider information is of the utmost importance to the EMSTARS program. Accordingly, each registered EMSTARS user must agree to adhere to the terms and conditions of the EMSTARS End Users Security Policy. As part of the New Account process (as documented in the EMSTARS Program Manual), Key Users must supply each new end user with a copy of the Security Policy which must be signed and submitted to the Data Unit. Key Users should answer any questions the end user may have regarding the policy. If the Key User is unable to answer a specific question, they may contact the Data Unit for clarification. Statement of Acceptance by the Registered EMSTARS End User With my signature below, I acknowledge the fact that I have been provided a copy of the EMSTARS End User Security Policy, I have reviewed the policy, any questions have been answered, and I accept the terms set forth within. Name of End User (Please print) Signature of End User Date EMSTARS User Name (Your assigned login name) Agency Name Agency ID Signature of Agency Key User (Required for EMS agency end users) Please fax this signature page to: Bureau of EMS Data Unit 850-488-2512 ATTN: EMS Data Manager Or, you may scan this page, with the original signature, and email the document to: emstars@doh.state.fl.us 9

END OF DOCUMENT 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback