PAGE: 1 of 6 / REPLACES POLICY DATED: 1/1/99, 8/15/01, 11/30/04, 4/30/05
EFFECTIVE DATE: January 1, 2009 / REFERENCE NUMBER: IS.SEC.002
SCOPE: This policy applies to all Users of Company electronic mail (e-mail), electronic communication systems and information systems, including, but not limited to, employees, contractors, physicians, volunteers, service centers, and representatives of vendors and business partners. Unless otherwise indicated, this policy applies to both internal Company e-mail and external e-mail sent over the Internet. The policy applies to all of the Company’s e-mail systems and other information systems and methods, including, but not limited to:
· All e-mail systems (e.g., Outlook, Meditech Magic Office (also known as MOX));
· All information systems and associated infrastructure;
· All automated electronic communication processes utilizing e-mail or the Internet;
· Internet-based discussion groups, chat services, and mailing lists;
· Instant Messaging systems;
· Electronic connections with the Internet or non-Company Systems; and
· Electronic bulletin board systems and online services to which the Company subscribes.
PURPOSE: This policy is designed to protect the Company, its personnel, its customers, and its resources from the risks associated with use of e-mail, the Internet, and other forms of electronic communication.
POLICY:
1. Business Purpose and Use. The Company encourages the use of the Internet, e-mail, and other electronic means to promote efficient and effective communication in the course of conducting Company business. Internet access, e-mail and other electronic means of communications made available through Company systems are Company property, and their primary purpose is to facilitate Company business. Users have the responsibility to use electronic means of communications in a professional, ethical, and lawful manner in accordance with the Company’s Code of Conduct.
2. No Expectation of Privacy. A user shall presume no expectation of privacy in anything he or she may access, create, store, send or receive on Company computer systems and the Company reserves the right to monitor and/or access communications usage and content without the User’s consent.
3. Communications Content. Users must use the same care in writing and distributing e-mail or other electronic communications as they would for any other written communication. Content of electronic communications should be truthful and accurate, sent to recipients based on a need-to-know and sent or posted with appropriate security measures applied in accordance with the Information Security Standards. Information Security Standards are available on Atlas under Information Security.
4. Internet and other Non-Company Network Connections. When using a computer attached to the Company’s network to connect to the Internet and other non-Company networks, Users must comply with the applicable Information Security Standards. Such standards include requirements for boundary protection, such as a Company firewall/proxy and virus wall.
A contract or agreement must be in place prior to the establishment of non-Company network connections and/or the exchange of electronic information assets. External entities must agree to the confidentiality and integrity of the exchanged electronic information assets. See the Company’s Patient Privacy (HIM.PRI) and Information Security (IS.SEC) Policies and the Company’s Security Standards (on Atlas at the IT&S Information Security site).
PROCEDURES:
1. Business Purposes and Uses. Every User has a responsibility to protect the Company’s public image and to use Company e-mail, access to the Internet, and other means of electronic communications in a productive and appropriate manner. As with all communications, Users must avoid communicating anything that might appear inappropriate or might be misconstrued as inappropriate by a reader.
The Company recognizes that Users may occasionally need to conduct personal business during their work hours and permits highly limited, reasonable personal use of the Company’s communication systems. Any personal use of the Company’s electronic communications is subject to all the provisions of this and related policies. Any questions are to be directed to the User’s company supervisor or designee.
2. Monitoring.
a. The Company may log, review, and otherwise utilize information stored on or passing through its systems in order to manage systems and enforce policy. The Company may also capture User activity such as web sites visited.
b. To ensure appropriate use and successful operation of the Company’s electronic communication systems and the information they contain, Company system administrators sometimes must access and view the systems’ contents. Statistical information about each User and other records of system activity (e.g., number and size of messages sent and received, Internet sites visited, length of time spent using the Internet) are routinely collected and monitored by system administrators.
c. While the goal of this monitoring is to evaluate and improve system performance and security, any evidence of violations of Company policy discovered during monitoring must be reported to the appropriate managers. Facility requests to retrieve electronic communication logs (e.g., Internet history logs, e-mail records) must be submitted by the facility Ethics & Compliance Officer (ECO), Human Resources representative, or Facility Information Security Official (FISO) to the facility’s Ethics Line Case Manager. Corporate requests must be submitted by the Department’s Vice President to the appropriate Ethics Line Case Manager. The Ethics Line Case Manager will consult with Corporate Labor Counsel to review the request and the retrieval of electronic communication logs, which includes accessing an individual's e-mail account and/or other electronic communication records. The Case Manager will forward the reviewed request to the SVP and Chief Ethics and Compliance Officer for approval. Electronic communication logs may be reviewed to address employment issues, system performance, or system security.
d. The Company reserves the right, at any time and without prior notice, to examine e-mail, personal file directories, hard disk drive files, and other information stored on Company information systems, with proper legal authorization as described in c above.
1. This examination is performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of Company information systems.2. Information contained in e-mail messages and other information concerning computer usage may be disclosed to the appropriate authorities, both inside and outside the Company, to document employee misconduct or criminal activity. Moreover, in some situations, the Company may be required to publicly disclose e-mail messages, even those marked private or intended only for limited internal distribution.
e. Personal files on Company computers must generally be handled with the same privacy given to personal mail and personal phone calls. This means that other workers, including managers and system administrators, must not read such personal files without authorization as described above. The following exceptions may be made routinely upon a request to the FISO with approval of the User’s department manager:
1. To dispose of or reassign files after a User has left the Company.
2. To access critical files when a User is absent and has failed to properly delegate access to e-mail or forward such files to appropriate colleagues.
3. To research or respond to system performance or system security issues.
3. Confidential Information Transmittal
a. Confidential information, as defined in the Information Security – Program Requirements Policy (IS.SEC.001) and the Company’s Code of Conduct, may only be transmitted to individuals via the Company’s internal e-mail systems to other Users of the Company’s e-mail systems who are authorized to access the specific information.
b. Confidential information may only be transmitted to accounts or destinations outside the Company using secure methods (e.g., encryption) specifically approved in advance by the Corporate Information Security Department within IT&S (Information Security Dept.) and in accordance with the Company’s Appropriate Access and Patient Privacy policies. In addition, appropriate agreements must be in place between the involved parties. (Refer to the Information Confidentiality and Security Agreements Policy, IS.SEC.005.).
c. Confidential information must not be posted on publicly accessible areas of the Internet (e.g., discussion groups, bulletin boards, chat services, non-secured web sites).
Examples of inappropriate transmissions:
1. Sending confidential information via e-mail or as an attachment to e-mail to your personal e-mail account.
2. Using standard unencrypted or otherwise non-secured e-mail for communications with patients and other healthcare consumers.
4. Malicious Code Protection. Each User must take reasonable precautions to avoid introducing viruses and other malicious code into the Company’s networks. Users must not download Internet files unless approved by Users’ supervisors and needed to perform Users’ job functions. For example, users should not download screen savers. Unexpected e-mail attachments and attachments in e-mails from unknown parties should not be opened without first validating the source. All Users must have the Company’s standard anti-virus utility properly installed and running on their PCs, and keep pattern files used to recognize malicious computer programs updated pursuant to IT&S procedures.
5. Remote Access Authentication. Users will be “strongly” authenticated into the Company’s network when accessing the network from off-premise locations. Strong authentication requires the use of a network user-ID, password, and a token or certificate, as defined in the Information Security Standards. Due to the nature of changing technologies, the method to strongly authenticate an individual, process or program will be defined in the Information Security Standards.
6. Internet Use.
a. The Company is not responsible for non-business related material viewed or received by Users on or from the Internet. Users are only to access or download materials from appropriate Internet sites in accordance with the Code of Conduct.
b. Appropriate methods, as defined in the Information Security Standards, must be followed when using the Internet (external e-mail, file transfer, or Web services) to communicate confidential information (e.g., patient information, personnel data, strategic plans) with non-Company entities, such as payers and physician offices.
7. Email System Standards. When using Company e-mail systems, Users must comply with applicable Information Security Standards. Such standards include parameters for electronic mail signature language and use of graphics within e-mail messages.
8. Unacceptable Uses. Users may NEVER use the Company’s Internet access, e-mail, or other electronic means of communications in any of the following ways:a. To harass, intimidate, or threaten another person.
b. To access or distribute obscene, sexually explicit, abusive, libelous, or defamatory material.
c. To distribute copyrighted materials that are not authorized for reproduction/ distribution.
d. To impersonate another user or mislead a recipient about your identity.
e. To access another person’s e-mail, if you are not specifically authorized to do so.
f. To bypass system security mechanisms.
g. To transmit unsecured confidential information.
h. To initiate or forward chain letters or chain e-mail.
i. To send unsolicited mass e-mail (“spamming”) to persons with whom the User does not have a prior relationship.
j. To participate in political or religious debate.
k. To automatically forward messages (e.g., with mailbox rules) to Internet e-mail addresses.
l. To communicate the Company’s official position on any matter, unless specifically authorized to make such statements on behalf of the Company.
m. To pursue business interests that are unrelated to the Company.
n. To conduct any type of personal solicitation.
o. To deliberately perform acts that waste computer resources or unfairly monopolizes resources.
p. For any purpose, which is illegal, against Company policy, or contrary to the Company’s best interests.
9. Sanctions. Suspected violations of this policy must be handled in accordance with this policy, the Code of Conduct, and any Company sanctions and enforcement policies. Investigation and resolution at the local level is encouraged and each facility must designate a process for promptly reporting violations. In addition, violations may be reported to the Ethics Line at 1-800-455-1996.
10. Policy Exceptions. The Company’s Chief Information Security Officer establishes information security governance processes. Requests for exceptions should be sent to Information Security via e-mail. Exception approval is based upon risk management reflecting appropriate, reasonable, and effective information security measures for a given situation.
REFERENCES:
Code of Conduct, effective January 1, 2009
Health Insurance Portability and Accountability Act, Security Standards for the Protection of Electronic Protected Health Information, 45 CFR Parts 160, 162, and 164
CPCS Appropriate Access Policy, IS.AA.001 and all other Company appropriate access policies, procedures and guidelines
Information Security – Program Requirements, IS.SEC.001
Information Confidentiality and Security Agreements Policy, IS.SEC.005
Information Security Standards and Toolkits (Available on Atlas in the IT&S Information Security site)
Information Security Guide (Available on Atlas in the IT&S Information Security site)
Patient Privacy Policies, HIM.PRI.001 through HIM.PRI.009
Copyright Policy, LL.GEN.002
Records Management Policy, EC.014
Electronic Communication Privacy Act
11/2008