Topic / Technology Plan / Last Review Date / 04/20/16
CARF Standards / 1.E.3.c-e; 1.E.4.c; 1.J / Last Revision Date / 04/20/16
Purpose / To create a more effective and efficient work environment using technology and to ensure that electronic information is protected from loss and that the privacy of electronic information is protected
1. PURPOSE: The agency uses technology to efficiently track and analyze a variety of data, including client, staff, billing, and accounting information. Reports are easily generated to compile a variety of statistics that support efficient information management and performance improvement activities.
2. ASSESSMENT: The agency’s technology system/plan is reviewed annually as a component of the performance improvement and strategic planning process. This review includes and evaluation of whether the system can be updated to improve service provision, efficiency & productivity of personnel, and communication with stakeholders. Technology is updated based on a cost-benefit analysis by the Executive Leadership team.
3. PROFESSIONAL SUPPORT: The agency contracts with an Information Technology (IT) agency that is responsible for advising the agency regarding purchasing new equipment, installing software, setting up security settings, troubleshooting IT problems, updating technology systems, managing the server network, and monitoring all IT systems to ensure peak functionality. The agency also contracts with professionals who have expertise in database development, website development, and phone system programming.
4. COMPUTER HARDWARE: The agency maintains a terminal server that contains all data for the agency. Each staff is assigned a work station (PC or laptop) that accesses the data on the terminal server through either a remote desktop connection with VPN (remote offices) or through an internal network (main office).
5. COMPUTER SOFTWARE:
a. All agency computers run on a Windows operating system.
b. The agency server runs on a Windows Small Business Server operating system to allow multiple users in the remote offices to access the server’s information.
c. A database of client information has been designed using Microsoft Access. It can efficiently track and analyze data regarding a variety of client and treatment-related factors. It is modified by a professional certified in Access programming on an as-needed basis. Electronic client data are stored on the agency’s server.
d. A database of staff information has been designed using Microsoft Access. It can efficiently track and analyze data regarding a variety of staff and hiring-related factors. It is modified by a professional certified in Access programming on an as-needed basis. Electronic staff data are stored on the agency’s server.
e. Therapist Helper software serves as the agency’s billing database. It can efficiently submit claims, track payments, and generate invoices for unpaid balances. Electronic billing data are stored on the agency’s server.
f. QuickBooks serves as the agency’s accounting database. It can efficiently track and analyze revenue and expenditures, produce financial reports, generate staff and vendor payments, and calculate taxes. Electronic accounting data are stored on the agency’s server.
g. Microsoft Word is used to design agency forms. These forms are maintained electronically in an organized fashion on the agency’s server. The most current version of each form is available to all clinical staff on the agency’s website, via a password protected portal to staff resources.
h. Microsoft Excel is used to compile data, in both table and graph forms, for a variety of reports. These reports are maintained on the agency server.
i. Microsoft Outlook is used for managing email functions, prompting events on calendars, and managing contact information for outside stakeholders (e.g., referral sources, funders, other providers). Outlook files are maintained locally on each individual work station.
j. Protected Trust is the encryption service used to protect emails containing confidential information. The service plan includes 1-year storage of protected emails. Contractors are encouraged to sign up for Protected Trust, but they may opt for a different encryption service with 1-year storage.
6. SECURITY:
a. Remote server access is password protected for each individual user in the remote sites. Staff within the main office have access to the server through the internal network.
b. Each work station computer is set up with password protection to ensure that only the staff assigned to that terminal may access that computer. All computers are set to require password login after a period of 10 minutes of inactivity. Human Resources Manager maintains a list of staff passwords, in the event that Executive Leadership requires access to individual staff computers and user files.
7. CONFIDENTIALITY:
a. Contracted Information Technology agency and database programmer sign a HIPAA Confidentiality statement prior to being given access to electronic client information.
b. Office staff: All office staff have access to the agency’s server. Each user has different privilege levels based on their job duties and need for access to various data. The Human Resources Manager controls staff privilege levels and access. When office staff leave the agency, their user access is immediately terminated.
1) Client database: All office staff have access to the client database.
2) Staff database: All office staff have access to the staff database, except staff pay and Social Security number, which are protected by password access. Only Executive Leadership staff (Executive Director, Finance Director, Operations Director, Human Resource Director) and the Administrative Specialist, who provides assistance to the Executive Leadership staff, have access to this protected staff information.
3) Billing database: All office staff have access to the billing data.
4) Accounting database: QuickBooks is password protected so that only Executive Leadership staff and the Administrative Assistant have access to the accounting data.
5) Other electronic confidential administrative records (e.g., staff evaluations, budgets, investigations, disciplinary action) are stored on the agency’s server in files that are accessible only to management staff, based on their user’s approved permission level.
6) When office computers are recycled, all confidential information is permanently deleted prior to donation.
c. Clinical Staff: Clinicians contracts contain requirements for the following:
1) Email address that requires a password known only by the user in order to access
2) Encryption service for emailing information containing confidential information
3) Password protection to unlock cell phones that have access to confidential information (stored client phone number/name, texts, email)
4) Electronic records stored on their personal computer are saved in a password protected file
5) Personal computers are set up with a separate user account with password protection for agency-related business.
6) When personal computers are recycled, all confidential information is permanently deleted prior to donation
8. BACK UP: The agency’s server is set up with continuous backup to a second internal drive, daily backup to an external harddrive that is swapped weekly and stored off-site, and daily online backup through a commercial service (Carbonite) that has security to protect against loss and breach of privacy. Outlook files for each work station are set to backup daily on the agency’s server.
9. ASSISTIVE TECHNOLOGY: In the event that staff request special accommodations for assistive technology, such as larger monitors, non-glare screens, voice recognition software, or telephone headsets, the agency’s leadership will consider and fund such requests on a case-by-case basis.
10. DISASTER RECOVERY PREPAREDNESS: In the event of an impending natural disaster, all computer and phone system equipment are unplugged and moved away from windows and off of the floor. All electronic equipment will be covered with plastic to prevent damage. In the event of a total loss, it is estimated that data and system capability could restored within 48 hours.
11. VIRUS PROTECTION: The terminal server and each work station computer has virus protection software (Panda) installed immediately upon purchase and is programmed to automatically download updates on an ongoing basis.
1.E.3.d / Policies and written procedures address confidentiality of records / Records Security, Technology Plan
1.E.3.e / Policies and written procedures address compliance with applicable laws concerning records / Records Security, Technology Plan
1.E.4.c.(1) / Appropriate safeguard of records include procedures for ensuring that only authorized personnel have access to records of the persons served / Record Mgmt, Technology plan
1.E.4.c.(2) / Appropriate safeguard of records include procedures for ensuring that only authorized personnel have access to administrative records / Record Mgmt, Technology plan
1.E.4.c.(3) / Appropriate safeguard of records include procedures for ensuring that only authorized personnel have access to electronically generated documents (including fax or email) / Record Mgmt, Technology Plan
1.J.1.a.(1) / The organization implements a technology and system plan that includes hardware / Technology plan
1.J.1.a.(2) / The organization implements a technology and system plan that includes software / Technology plan
1.J.1.a.(3) / The organization implements a technology and system plan that includes security / Technology plan
1.J.1.a.(4) / The organization implements a technology and system plan that includes confidentiality / Technology plan
1.J.1.a.(5) / The organization implements a technology and system plan that includes backup policies / Technology plan
1.J.1.a.(6) / The organization implements a technology and system plan that includes assistive technology / Technology plan
1.J.1.a.(7) / The organization implements a technology and system plan that includes disaster recovery preparedness / Technology plan
1.J.1.a.(8) / The organization implements a technology and system plan that includes virus protections / Technology plan
1.J.1.b.(1) / The organization implements a technology and system plan to support information management / Technology plan
1.J.1.b.(2).(a) / The organization implements a technology and system plan that supports performance improvement activities for program/service delivery / Technology plan
1.J.1.b.(2).(b) / The organization implements a technology and system plan that supports performance improvement activities for business functions / Technology plan
1.J.1.c / The organization implements a technology and system plan that is reviewed at least annually for relevance / Technology plan
1.J.1.d / The organization implements a technology and system plan that is updated as needed / Technology plan
Risk Management – Technology Plan