|
NORTH GEORGIA HEALTH DISTRICT
County Board of Health Administrative Policy #3004
Cherokee, Fannin, Gilmer, Murray, Pickens, Whitfield
USE OF COMPUTERS & INTERNET
EFFECTIVE DATE: August 1, 2010 RELEASE DATE: August 1, 2010
REFERENCES :
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, Privacy Rule and Security Rule
The purpose of this policy is to establish guidelines for the use of computer hardware and software and appropriate business usages of Internet access and electronic mail (e-mail) accounts provided by the County Board of Health (CBH). The privacy and security of protected health information are high priority concerns of CBH. Accordingly, the following policy and procedures are intended to support the Agency’s safeguards of privacy and security. CBH seeks to promote the efficient use of resources and to promote the delivery of public services through the use of an information technology (IT) enabled system that works better, costs less and is capable of serving members’ and other customers’ needs appropriately.
DEFINITIONS
For purposes of this policy, the following terms mean:
A. “Document” refers to any kind of file that can be read on a computer screen as if it were a printed page, including files read in an Internet browser, any file meant to be accessed by a word processing or desk-top publishing program or its viewer, or the files prepared for reading by other software or other electronic publishing tools.
B. “Display” includes monitors, flat – panel active or passive matrix displays, LCD’s, projectors, televisions and virtual-reality tools.
C. “Electronic media” means (1) Electronic storage media including memory devices in computers (hard drives) and any removable or transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (2) Transmission media used to exchange information already in electronic storage media. Certain transmissions, including paper via facsimile, and voice via telephone, are not considered to be transmissions via electronic media because the information being exchanged did not exist in electronic form before the transmission.
D. “Electronic protected health information” or “E-PHI” means protected health information transmitted by electronic media or maintained in electronic media.
E. “Electronic mail” (“e-mail” or “email”) is a method of composing, sending, storing, and receiving messages over electronic communication systems or Email Systems. The term e-mail applies both to the Internet e-mail and to intranet systems allowing users within one agency or organization to send messages to each other.
F. “E-mail Systems” are software and hardware systems that transport messages from one computer user to another. E-mail systems range in scope and size from a local email system that carries messages to users within an agency or office to an e-mail system that sends and receives messages around the world over the Internet.
G. “E-mail messages” are electronic documents created and sent or received by a computer via an e-mail system. This definition applies equally to the contents of the communication, the transactional information, and any attachments associated with such communication. E-mail messages are similar to other forms of communicated messages, such as memoranda and letters.
H. “Graphics” includes photographs, pictures, animations, movies, or drawings.
I. “Individually identifiable health information” means information, including demographic information collected from an individual, that:
1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past,
present, or future payment for the provision of health care to an individual; and
a. That identifies the individual; or
b. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
J. “Information Technology Resources” or “IT Resources” means hardware, software, and communications equipment, including, but not limited to, personal computers, mainframes, networks, servers, portable computers, peripheral equipment, personal digital assistants (PDA’s), wireless communications, facsimile machines, and other relevant hardware and software items as well as personnel tasked with the implementation and support of technology.
K. “Limited Use” is defined as ten (10) minutes or less of personal use of the Internet during breaks or lunch.
L. “Protected health information" or “PHI” means individually identifiable health information that is:
1. Transmitted by electronic media;
2. Maintained in electronic media; or
3. Transmitted or maintained in any other form or medium.
M. “User” or “IT User” means employees, contractors, vendors, or any other individuals who are granted access to a CBH information technology resource.
POLICY/PROCEDURES
A. CBH shall take appropriate steps, including the implementation of strongest-available and practicable encryption, user authentication, and virus protection measures, to mitigate risks to the privacy and security of CBH data and information systems associated with the use of information technologies. CBH IT resources, including data, hardware and software, will be protected from unauthorized access, misuse, or loss. Individual IT users must take steps to help protect the privacy and security of IT resources over which they have control or to which they have access. Individuals who use CBH IT resources will be trained in the CBH information privacy and security program. Confidential information, including protected health information, must be protected from unauthorized disclosure, modification, use, or destruction. Safeguards must be maintained to ensure that its integrity, confidentiality, and availability are not compromised.
B. CBH employees and DCH employees who work in the NGHD will receive an introduction to computer security policies during employee orientation. Each CBH employee is required to attend IT security training once a year. This training will be offered by NGHD IT staff.
C. As an employee’s duties and responsibilities or access to information systems changes, the IT Department will ensure that appropriate role-based and access-based training about the use of IT resources is provided to each such employee.
D. IT Users must comply with the provisions of the IT User Agreement (Attachment #1). Noncompliance with this policy and the attached agreement will subject CBH staff to disciplinary action, up to and including termination. The sanctions applied, if any, will be in proportion to the severity of the noncompliance and the risk of harm attributable to the individual’s noncompliance. IT Users who become aware of any incident that threatens the Privacy or Security of CBH IT resources, including but not limited to information systems, databases, computer networks, premises, assets, or personnel should immediately report the incident to their immediate supervisor and to the IT Director.
Such incidents include, but are not limited to:
- Loss or theft of a CBH-issued laptop or a personal laptop that contains confidential or protected health information, regardless of whether the information is believed to be encrypted or otherwise safeguarded;
- Loss or theft of any portable media that contains confidential or protected health information, regardless of whether the information is believed to be encrypted or otherwise safeguarded;
- Loss or theft of a CBH issued personal digital assistant (PDA), including a BlackBerry, PalmPilot or a personal PDA that contains confidential or protected health information, regardless of whether the information is believed to be encrypted or otherwise safeguarded;
- Fraudulent access to CBH information systems, unauthorized access or use of CBH resources or services, shared or compromised passwords, or improper use of CBH email or Internet access;
- Threats or damage to CBH employees, facilities, or systems.
COMPUTER EQUIPMENT
A. The computer resources are to be used only in a manner consistent with the goals and objectives of the NGHD.
B. State computers and equipment are to be used to accomplish work-related assignments. Employees who divert state property or resources for personal gain will be required to reimburse the CBH and will be subject to other appropriate disciplinary action. State computers and equipment are to be used for state business only.
C. Employees must obtain written approval from their immediate supervisor before removing computer equipment from offices of the NGHD. The approval must show decal number, make, model, and serial number of the computer equipment being removed.
D. The Property Disposition Form (Attachment #2) must be completed by the employee if computer equipment is being removed from or transferred between offices or rooms or sites. This form requires supervisor approval and should be sent to the IT Director for processing.
LICENSING
A. The network(s) are to be used responsibly by all CBH employees. The users of the network are responsible for respecting and adhering to local, state, and federal laws including those laws related to copyrights, software licensing, and transmission of threatening or obscene materials.
B. All computer software installed on CBH computers must be licensed as required by the software manufacturer. All CBH employees will follow and abide by commercial licensing laws and requirements.
SECURITY OF PASSWORDS AND NETWORK DATA
A. Individual passwords are established by each employee for access to the network(s). Passwords shall remain private and confidential. Sharing network and/or screen saver passwords with any other person is prohibited, unless approved by IT Director to support special operational configurations.
B. Strong passwords must be used. Strong passwords are defined as having the following characteristics:
- Are at least eight characters in length.
- Contain characters from at least three of the following four types of characters:
- English upper case (A-Z)
- English lower case (a-z)
- Numbers (0-9)
- Non-alpha special characters ($,!,%,^)
- Must not contain the user’s name
- Must not contain part of the user’s full name
C. Anti-virus software is installed on the network(s) to detect and “clean” any virus introduced. Accordingly, for security reasons, the anti-virus program must not be disabled.
D. Installing software and screen savers other than CBH-approved software and files on PC hard drives is prohibited because of the limited hard disk space, the danger of importing computer viruses, and the software licensing issues mentioned above. The prohibition includes music files, pictures, file sharing software and other program and applications outside of the software, programs and applications installed by or with the approval of the IT Department. At no time may a user install software on the network server, as this will increase the danger of introducing and spreading viruses to the network.
E. The CBH may issue laptop computer or other computer hardware to staff. If issued a laptop or other equipment, staff assumes responsibility for the safety and security of the equipment and should follow procedures for removal of equipment from the CBH offices.
USE OF THE INTERNET AND EMAIL
A. The CBH will provide Internet access and e-mail addresses as necessary to employees for the efficient and effective performance of their duties. Internet access is provided to facilitate business-related research and access to information and to enhance communication with customers, vendors, colleagues and others receiving services from , doing business with, or seeking information from CBH employees.
B. Computer equipment and other resources required for Internet access and e-mail accounts are provided to employees at significant cost to the State, and as with other state property, employees must ensure that such resources are not misused. Although valuable business tools, Internet and e-mail access are considered privileges, and as such CBH reserves the right to revoke access to either or both for inappropriate usage.
C. Data and files composed, transmitted, or received on CBH equipment, including Internet data and e-mail messages, are subject to disclosure under the Georgia Public Records Act upon request. Employees should ensure that all data accessed with or stored on CBH equipment is appropriate, ethical and lawful. E-mail users should be careful about how they represent themselves, since any message or data sent through the CBH e-mail system clearly identifies the message as coming from CBH and could be interpreted as statement of CBH opinion, position or policy. Additionally, data that is composed, transmitted, accessed or received via CBH Internet resources must not contain content that may be considered discriminatory, offensive, threatening, harassing, intimidating, or disruptive to any employee or person.
D. Under no circumstances should CBH equipment or resources be used for: business or solicitations related to commercial ventures, religious or political causes, or any matter related to outside organizations, illegal activity, downloading or distributing pirated software, data or malicious program code (viruses), downloading personal software, files or programs or any other activity that would reflect discredit on the CBH.
E. The use of state-provided Internet access imposes certain responsibilities and obligations on users and is subject to state government policies and state and federal laws. As a condition of being granted Internet access by CBH, each employee must comply with this policy and refrain from inappropriate use at all times, including access during breaks or outside of regular business hours.
F. Examples of appropriate Internet use include the following:
1. Access to federal, state, or local government Internet sites;
2. Job-related research; and
3. Access to sites related to professional organizations or other professional development information. Additionally, employees may make limited use
(See definition of “limited use”) of the Internet on personal time at work consistent with the rest of this policy. Personal time includes breaks and
lunch.
G. Inappropriate Internet use includes, but is not limited to:
1. Private or personal for-profit business activities. This includes Internet use for private purposes such as business transactions, private advertising
of products or services, and any activity meant to foster personal gain;
2. Unauthorized not-for-profit business activities;
3. Conducting any illegal activities as defined by federal, state, and local laws or regulations;
4. Political or religious causes;
5. Accessing or downloading sexually explicit or pornographic material;
6. Accessing or downloading material that could be considered discriminatory, offensive, threatening, harassing, or intimidating including ethnic or
racial slurs or jokes;
7. Gambling;
8. Uploading or downloading commercial or agency software in violation of copyright or trademark;
9. Downloading any software or electronic files without ensuring that CBH provided virus protection is active;
10. On-line shopping and auctioning;
11. Accessing Web chat sites, dating sites, social networking sites; and
12. Downloading any software or programs from the Internet onto a CBH computer without express approval by the District IT Department.
H. Employees are also restricted from downloading trial versions of software unless prior arrangements are made with the IT Department.
I. Personal Use of the Internet and E-mail
1. CBH acknowledges that occasional personal use of Internet connectivity may occur. Any such use must be brief and infrequent, and limited to lunch
and break periods or other non-work time. Examples of appropriate personal usage include: checking weather forecasts, accessing traffic reports,
accessing deferred compensation or other benefit information. Employees are reminded that inappropriate use of CBH Internet access as defined
above is prohibited at all times.
2. The e-mail system may not be used to distribute chain letters or other personal solicitations
3. Unnecessary Internet usage causes network and server congestion, slows other users, takes away from work time, and could overburden other
shared resources. Because of this, accessing/downloading audio or video files is strictly limited to business purposes only.
INTERNET AND E-MAIL USAGE MONITORING
A. While CBH respects the privacy of employees, ensuring compliance with this privacy and security policy is of utmost importance. Therefore, CBH reserves the right to retrieve and read any data composed, transmitted or received through on-line connections and stored on CBH property and to monitor Internet sites visited or attempted. Inappropriate Internet or e-mail usage can expose CBH to significant legal liability and reflect discredit on the Agency.
B. CBH has installed software to prevent access to objectionable Internet and to monitor Internet access. The IT Department will periodically review and document Internet activity. Employees should be aware that any information accessed, downloaded, or transmitted may be reviewed by IT staff and District management will be notified if any employee is repeatedly attempting to reach blocked sites or is frequently visiting non-work related sites.
C. When using CBH computers and resources to send or receive e-mail or to access Internet sites, employees are consenting to the monitoring of their use and have no reasonable expectation of privacy in the use of these resources.
D. CBH monitoring is limited and is done in an ethical and professional manner.
E. Failure to comply with this policy may result in disciplinary action, up to and including termination from employment.
For additional information or assistance, please contact the District Personnel Office at 706/272-2342.
|
Adobe Reader
Adobe Flash Player