Delivering quality healthcare requires precise, accurate, and timely communication between medical professionals, caregivers, and patients. BBS endeavors to protect patient data from unauthorized access and privacy breaches while achieving this. Our organization strongly understands the vitality of health data protection and has framed health data security policies as a measure to protect patient data from violations.
Data Security and Privacy Protection
- Our organization holds and processes conﬁdential and personal information that includes information relating to operations, personal health information on private individuals, and data provided by partners including their employees.
- The information and data stored within our organization is an asset that it has a duty and responsibility to protect such data.
- The Data Governance Policy sets out the approach to managing information security.
- The Data Governance Policy is approved by management and is communicated to all staﬀ and employees of BBS, contractual third parties, and agents.
Organization of Information Security
This policy ensures that Information will be protected from a loss of:
- Conﬁdentiality: So that information is accessible only to authorized individuals.
- Integrity: So that accuracy and completeness of information and processing methods are safeguarded.
- Availability: So that authorized users have access to relevant information when required.
Information Security Incident Management
- Information security incidents and vulnerabilities associated with information systems will be communicated in a timely manner. Appropriate corrective action will be taken.
- Formal incident reporting and escalation will be implemented.
- All employees, contractors, and third-party users will be made aware of the procedures for reporting the diﬀerent types of a security incident, or vulnerability that might have an impact on the security of our assets.
- Information security incidents and vulnerabilities will be reported as quickly as possible to our Management.
Professional Server Support
- Our knowledgeable and experienced technicians monitor and manage servers, ensuring that they run eﬃciently and aren’t exposed to threats that could put the organization at risk.
IT Security Audit
- The purpose of IT Security Audits is to ensure compliance with federal regulations, state regulations, private payers, and other regulatory bodies.
- IT Security Audits are conducted once in a quarter to ensure the company does not pose a security risk to corporate networks, internal systems, and/or conﬁdential/sensitive information.
- Compliance Measurement: Our audit team veriﬁes compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
- Exceptions: Any exception to the policy must be approved by the audit team in advance.
- Non-Compliance: An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment
Remote Access Policy
- Remote access to our corporate network is essential to maintain our Team’s productivity, but in many cases, this remote access originates from networks that may already be compromised or are at a signiﬁcantly lower security posture than our corporate network
- We must mitigate these external risks to the best of our ability
- It is the responsibility of employees with remote access privileges to the company’s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection.
- Unauthorized Users will not use the conﬁdential networks to access the Internet for outside business interests.
- The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access.
Workstation Security (For HIPAA) Policy
- This policy applies to all employees at BBS, with an owned or personal-workstation connected to the company’s network.
- Appropriate measures must be taken when using workstations to ensure the conﬁdentiality, integrity, and availability of sensitive information, including protected health information (PHI), and that access to sensitive information is restricted to unauthorized users.
- Workforce members using workstations shall consider the sensitivity of the information, including protected health information (PHI) that may be accessed and minimize the possibility of unauthorized access.
- BBS implemented physical and technical safeguards for all workstations that access electronically protected health information to restrict access to authorized users.
- Appropriate measures include: Restricting physical access to workstations to only authorized personnel. Securing workstations (screen lock or log out) prior to leaving the area to prevent unauthorized access.
- Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were leG unsecured will be protected. The password must comply with the company’s password policies.
- Ensuring workstations are used for authorized business purposes only.
- Never installing unauthorized software on workstations.
- Storing all sensitive information, including protected health information (PHI) on network servers
- Keeping food and drink away from workstations in order to avoid accidental spills.
- Complying with the Portable Workstation Encryption Policy
- Exit running applications and close open documents
- Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
- If wireless network access is used, ensure access is secure by following the Wireless Communication policy.
Software Installation Policy
- The purpose of this policy is to outline the requirements for installing software on a company’s device.
- To minimize the risk of loss of program functionality, the exposure of sensitive information contained within the company’s computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.
- Employees may not install software on the company’s computing devices operated within the company’s network.
- Software requests must ﬁrst be approved by the requester’s manager and then be made to the Information Technology department or Help Desk in writing or via email.
- The software must be selected from an approved software list, maintained by the Information Technology department unless no selection on the list meets the requester’s need.
HIPAA Core Policies for Internet and Email users
- To ensure that the use of emails does not negatively impact the conﬁdentiality, availability, integrity, and reputation of the organization and their assets
- To ensure compliance with applicable federal and state laws
- All email messages, documents, and data obtained through the company or company’s network resources are considered to be the organization’s assets.
- Authorized users shall have no expectation of privacy in email.
- The organization may monitor messages and internet use without prior notice.
- Users are responsible for reporting any suspected or conﬁrmed violations of this policy to their immediate supervisors or managers
- Users shall not misuse their Internet privileges, i.e., spending excessive time on the Internet for non-work related business or accessing inappropriate sites.
- Users shall not misuse their email privileges, i.e., sending and forwarding non-business related mass emails.
- Users shall delete chain and junk email messages without forwarding or replying to them. Electronic chain letters and other forms of non-business related mass mailings are prohibited.
- Users shall not engage in spamming activities. Electronic chain letters and other forms of non-business-related mass mailings are prohibited.
- Personnel shall not use the organization’s resources to view, record, or transmit materials that violate its policies. Inappropriate messages, pictures, and/or other visual images/materials include, but are not limited to:
- Fraudulent messages – Messages sent under an anonymous or assumed name with the intent to obscure the origin of the message.
- Harassment messages – Messages that harass an individual or group for any reason, including race, sex, religious beliefs, national origin, physical attributes, or sexual preference.
- Obscene messages – Messages that contain obscene or inﬂammatory
- Users shall not photograph, post, or transmit patient images or information, electronically or otherwise, unless doing so is in accordance with an approved use or disclosure, and approved methods for doing so are utilized.
- Users shall not share sensitive, restricted, or protected health information (PHI) to any cloud provider that has not been approved by the Information Security Oﬃce (including but not limited to Google Apps, DropBox.com, GoogleDocs, iCloud, etc.).
- Users shall not send or forward emails containing sensitive, restricted, or protected health information (PHI) to public email systems.
- Users shall not forward sensitive information, PHI, or other business information to non-business-related email accounts.
- Personal email accounts shall not be used for oﬃcial purposes.
- The organization reserves the right to block access to non-business-related material
- Email transmission of PHI, if necessary, shall be conducted with the highest level of security applied and only in situations where the email is necessary for the treatment of the patient, payment, and health care operations
- Users shall comply with all laws related to copyright, intellectual, and personal property.
- Users shall not knowingly download non-work-related executable ﬁles from the Internet.
- Users shall not establish peer-to-peer connections to external parties.
- Users shall not knowingly enable anyone to gain unauthorized access or control of any device, application, or system to the data networks
- Users shall report suspicious emails using the Report Phishing button.
- Individuals may be granted access to the email accounts of their former employees with Management’s approval. This may require written approval from the requestor’s supervisor.
- Users shall not utilize or save their passwords on any non-corporate systems (i.e., banking, personal email, etc.).
- Users shall not transfer restricted or sensitive information to an unencrypted or unapproved device.
- Users shall log oﬀ applications, workstations, laptops, and devices aGer use.
- Users shall not provide personal or oﬃcial information solicited by unknown individuals or suspected phishing emails or websites.
Any user found to have violated the above-listed policies may be subject to disciplinary action, up to and including termination of employment, depending on the severity of the infraction. In addition, the company may report the matter to civil and criminal authorities as may be required by law.