Infosec Acceptable Use Policy

RIVER HILLS COMMUNITY HEALTH CENTER

POLICY ON CLEAN AND UNCLUTTERED OFFICES AND DESKS

Submitted by: Curt Meeks, CO Policy #

Approved By: Policy Supersedes:

Date: Revised/Reviewed:

Policy

It shall be the policy of River Hills CHC that all workforce members shall maintain clean and orderly office work areas and desks that are clutter-free in order to protect paper documents that might contain sensitive information about our patients, customers and vendors. A clutter-free office and desk projects a positive image when customers visit our facilities and reduces the threat of a security incident as confidential information will be locked away when unattended. Sensitive documents containing PHI or proprietary information should not be left unattended and in the open as these documents could be stolen.

Purpose

The purpose of this policy is to comply with the HIPAA Privacy Rule and HIPAA Security Rule’s requirements pertaining to the acceptable use of River Hills CHC IT resources regarding protected health information (PHI) and electronic protected health information (EPHI).

River Hills CHC policies regarding privacy and security of PHI/EPHI reflect its commitment to protecting the confidentiality of patients’ medical records, patient accounts, clinical information from management information systems, confidential conversations, and any other sensitive material as a result of doing business. While a commitment to privacy and security of PHI/EPHI is the expectation, there remains a possibility that an inappropriate or unintended disclosure of PHI/EPHI may result in a privacy breach. This policy outlines the procedure to mitigate breaches, both willful violations and unintended actions, consistent with guidance described by the HIPAA and HITECH laws.

Overview

River Hills CHC’s intention for publishing this HIPAA Clean and Uncluttered Office and Desk Policy is not to impose restrictions that are contrary to River Hills CHC’s established culture of openness, trust and integrity. River Hills CHC is committed to protecting employees, patients, partners and itself from illegal or damaging actions by individuals, either knowingly or unknowingly.

of 3 Effective HIPAA security is a team effort involving the participation and support of every River Hills CHC employee and affiliate that interacts with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

Any time that protected health information (PHI) is referenced in this policy, it is referencing the HIPAA Privacy Rule; when electronic protected health information (EPHI) is referenced in this policy, it is referencing the HIPAA Security Rule.

This policy applies organization-wide.

Procedure

1. General Guidance

1.1 Allocate time at the end of a duty shift or work day to properly secure all documents.

1.2 Always clear your workspace before leaving for long periods of time.

1.3 If in doubt – properly secure or dispose of paper in question.

1.4 If you are unsure of whether a duplicate piece of sensitive documentation should be kept, it is better to destroy it immediately or place it in the shredder bin.

1.5 Consider scanning paper items and filing them electronically.

1.6 Use the shredder bins for sensitive documents that are no longer needed.

1.7 Secure offices, desks and filing cabinets at the end of the day

1.8 Secure portable computing devices such as laptops or PDA devices

1.9 Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a lockable container.

2. Working at Your Desk

2.1 Keep you desk work area neat and orderly to minimize accidental loss of confidential documents or sensitive information.

2.2 Do not leave sensitive documents in your office or on your desk unattended.

of 3 3. Away from a Desk

3.1 When away from your desk for known extended periods, such as a lunch break, lock your office or place sensitive working papers in locked drawers or other appropriate security containers. Sensitive documents or confidential information do not have to be removed from desk tops that are located in lockable offices.

3.2 At the end of the duty shift, workforce members are expected to tidy their desk and to put away all confidential or sensitive documents. Lockable offices must be locked at the end of the work day. Sensitive documents or confidential information do not have to be removed from desk tops that are located in lockable offices.

4. Enforcement. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

5. Reference(s)

5.1 Health Insurance Portability and Accountability Act of 1996 (HIPAA) at 45 C.F.R. § 164.308; § 164.530.

5.2 The American Recovery and Reinvestment Act of 2009 (ARRA) Division A, Title XIII, Part 2, Subtitle D-Privacy Sec. 13400; Sec. 13402 of the HITECH Act.