Data Privacy, Security, and Confidentiality
Policy and Procedure Manual
Table of Contents
Contents Page Number
Policies and Procedures
Audit Trails and Data Quality Monitoring Program.………………………….…………..4
Risk Assessment, Contingency Planning, and Data Recovery .……..……………………6
Security and Privacy of Mobile Health Technologies.……………………………………8
It is Davenport Hospital’s policy to always comply with the laws, rules and regulations of Data Privacy, Security and Confidentiality. The creation of this manual includes policies and procedures that are applicable to Davenport Hospital and its employees . It is mandatory that employees of Davenport Hospital follow these policies and procedures to include information available via internet, intranet or network computers on site. If there are any questions related to these policies and procedures, please direct them to Information Technology Manager of Davenport Hospital, http://[email protected]
Audit Trails and Data Quality Monitoring Program
Protect and safeguard the confidentiality, integrity, and availability of data “access to the Electronic Health Record (EHR) including use of the minimum necessary amount of protected health information (PHI) to get an employment-related task accomplished” (“Managing Audit Trails,” n.d.).
Davenport Hospital will have ongoing auditing and monitoring to aid in the prevention of inappropriate access to data through technical security solutions that ensure the security and resilience of systems. To support this policy, Davenport Hospital:
• Determines, documents, implements, and reviews audit records.
• Protects and restricts removable media.
• Controls access to systems.
• Protects communications and control networks.
This policy applies to all employees, full time or temporary, contractors, and third parties who have access to or use Davenport Hospital’s data, regardless of physical location.
• Monitor activities to include execution of authorized access, unauthorized access attempts, and system alerts or failures at least once a quarter.
• Analyze records for inappropriate activity on an ongoing basis.
• Report any auditable events or security incidents to the appropriate party responsible for security and compliance issues.
• Test and review on a regular basis the effectiveness of access control and security mechanisms.
• Improve “data quality through common understanding and agreement about names, definitions, values, ranges, and formats” (“Data Governance,” n.d.)
• Implement data quality planning that meets the needs of the hospital.
• Utilize data profiling to reveal any defects, anomalies, and opportunities to enhance quality rules.
• Address methods to validate and correct data defects.
Risk Assessment, Contingency Planning, and Data Recovery
The purpose of this policy is to address the prevention of critical data loss due to server crashing, power failure, or any incident which occurs that threatens critical company data, and ensures the functionality in the event of an interruption or disaster due to temporary or permanent loss of computer facilities.
Davenport Hospital along with its business associates will develop and implement activities to minimize the impact of disruptions to critical business operations in the event of a disaster. The Disaster Recovery Plan includes the following items:
• Grouping and categorizing into Tiers all infrastructures, systems, applications and services in order to determine the appropriate recovery sequences so that essential systems and services can be recovered within the required business recovery time.
• Coverage for all IT services
• Communication mechanisms
• Roles and responsibilities that clarify who can initiate IT Disaster Recovery plans.
All personnel of Davenport Hospital will strictly adhere to these processes and procedures in the event that an imminent disaster or security risk has been recognized.
• Security risk analysis will be “performed periodically and when a change occurs in the practice or the technology” (Oachs, 20160715, p. 320).
• There will be regular backup of critical data to a data backup service.
• The appropriate personnel will secure and store hard disks.
• Employees will cease operations and back up their sensitive data files.
• If a server is unserviceable, there will be immediate backup of data to server room hard drives with removal and storage of hard drives off the premises.
• Installation of security alarm systems in area buildings.
• Installation of anti-hacking and anti-malware software.
• Training of employees will begin upon hire.
• Identify preventive controls that reduce the effects of system disruptions, increase system availability, and reduce contingency life cycle costs.
• “Develop recovery strategies that ensure the system can be recovered quickly and effectively following a disruption” (“NRECA Cybersecurity Guide for an Electric Cooperative,” n.d.).
• Develop an IT contingency plan detailing guidance and procedures for restoring a damaged system.
• “Identify gaps in the plan and train recovery personnel for plan activation to improve overall preparedness” (Swanson, 2015).
• Plan maintenance to remain current with system enhancements.
• “A clearly defined plan for the restoration of data should be documented and kept within the contingency planning documentation” (Oachs, 20160715, p. 323).?
Security and Privacy of Mobile Health Technologies
Guard the data integrity, confidentiality, and availability of PHI by protecting information and information technology on portable devices.
This policy describes the responsibility of all employees, volunteers, and other affiliated individual users of electronic protected health information (ePHI) of Davenport Hospital as it relates to personal mobile devices. Furthermore, this policy is for entities engaged in administration, education, research, and clinical activities for which portable computing devices and/or use portable storage devices are used or being considered for use in the future.
This policy applies to all Davenport Hospital Covered Entities with mobile devices that contain access to Confidential Information.
• Employees should not access their interacting or supervising a patient at any time.
• All personal devices should be kept out of sight and silent.
• All ePHI or other sensitive information must be stored in secure environments only.
• Copying or downloading ePHI or other sensitive information to a local hard drive, CD, DVD, flash drive, laptop, or other storage device is prohibited without prior approval from senior management.
• Security of data on such devices is subject to the provisions of relevant local, state, and federal statutes and regulations.
• No use of personally owned portable devices for work related purposes unless approved by senior management. If approved, the device must comply with all policies and procedures.
• Use of approved strong password techniques will be utilized.
• Encryption software for use on wireless networks for secure information transfers will be approved by Davenport Hospital.
• Install up-to-date anti-malware software and maintain frequent updates.
• Firewall protection will be utilized if the device is connected to an always on internet.
• Sensitive information will require two factor authentication as defined in the HIPAA Guidance for Remote Access.
• Portable devices using a browser or other Internet access will follow policies and procedures for securing the browser.
• Portable devices will be backed up on a routine basis, but will not be backed up on public workstations, home computers or laptops.
• Sharing among family members or outside parties is prohibited.
• Before disposal or transfer to a new owner, all ePHI on the device must be destroyed.
NRECA Cybersecurity Guide for an Electric Cooperative. (n.d.). Retrieved from https://www.smartgrid.gov/document/cybersecurity_guide_electric_cooperative.html
Data Governance. (n.d.). Retrieved from https://www.healthit.gov/playbook/pddq-framework/data-governance/
Managing Audit Trails. (n.d.). Retrieved from http://library.ahima.org/doc?oid=93266
Oachs, P. (20160715). Health Information Management: Concepts, Principles and Practice, 5th Edition VitalSource Bookshelf version. Retrieved from https://bookshelf.vitalsource.com/books/9781584265368
Swanson, M. (2015, October 14). Contingency Planning Guide for Information Technology Systems. Retrieved from https://www.fismacenter.com