All E-Mail Systems (Exchange, Groupwise, Cc:Mail, and Meditech Magic Office, Also Known As MOX)

DEPARTMENT: Information Technology & Services / POLICY DESCRIPTION: Electronic Communication
PAGE:1 of 5 / REPLACES POLICY DATED:
APPROVED: November 12, 1998 / RETIRED:
EFFECTIVE DATE: January 1, 1999 / REFERENCE NUMBER: IS.SEC.002
SCOPE: This policy applies to all users (employees and non-employees) of Company e-mail and electronic communication systems. Unless otherwise indicated, this policy applies to both internal Company e-mail and e-mail sent over the Internet. The policy applies to all of the Company’s e-mail systems and other electronic communication systems and methods, including:

• all e-mail systems (Exchange, GroupWise, cc:Mail, and Meditech Magic Office, also known as MOX)
• the World Wide Web
• Internet-based discussion groups, chat services, and mailing lists; and
• electronic bulletin board systems and online services to which the company subscribes.

PURPOSE: This policy is designed to protect the Company, its personnel, and its resources from the risks associated with use of e-mail and the Internet.
POLICY:

1. Company employees and other users of Company e-mail and electronic communication systems may ONLY transmit patient-identifiable information via the Company’s internal e-mail systems (i.e., MOX, Exchange, and GroupWise) to other users of the Company’s internal e-mail systems who are authorized to access such information in accordance with the Company’s Appropriate Access policies.

2.Company employees and other users of Company e-mail and electronic communication systems may ONLY transmit patient-identifiable information, or confidential information as defined in the Company’s Code of Conduct, to persons or entities outside the Company using secure methods specifically approved in advance by the IS Security Department and in accordance with the Company’s Appropriate Access policies.
3.Company employees and other users of Company e-mail and electronic communication systems may NOT post patient-identifiable information, or confidential information as defined in the Company’s Code of Conduct, on publicly-accessible areas of the Internet (e.g., discussion groups, bulletin boards, chat services, etc.)
4.The Internet and e-mail are to be used to facilitate Company business and only highly-limited, reasonable personal use is permitted.
PROCEDURE:

1. E-mail and Internet Usage Monitoring

To ensure appropriate use and successful operation of the Company’s electronic communication systems and the information they contain, it is sometimes necessary for authorized personnel to access and monitor their contents. Statistical information about each user and other measures of system performance, such as number and size of messages sent and received, Internet sites visited, length of time spent using the Internet, etc., are routinely collected and monitored by system administrators. While the goal of this type of monitoring is to evaluate and improve system performance, any evidence of violations of this electronic communications policy discovered in the course of this type of monitoring will be reported to the appropriate managers.
Only the Corporate Legal Department can authorize access to and disclosure of an individual colleague’s messages without that colleague’s knowledge. A manager or other designated individual, when properly authorized by the Corporate Legal Department, may access and read any message sent or received via the Company e-mail or Internet system, whether of a business or personal nature, at any time. Information contained in e-mail messages may be revealed to the appropriate authorities, both inside and outside of the Company, to document employee misconduct or criminal activity. Moreover, in some situations, the Company may be required to publicly disclose e-mail messages, even those marked private or intended only for limited internal distribution.

2.Appropriate use of the Internet and e-mail systems

a. Acceptable Use

The Company encourages the use of the Internet and e-mail because they can make communication more efficient and effective. However, Internet access and e-mail are Company property, and their primary purpose is to facilitate company business. Every user has a responsibility to maintain and enhance the Company’s public image and to use Company e-mail and access to the Internet in a productive manner.
The Company recognizes that employees may occasionally need to conduct personal business at the office and permits highly-limited, reasonable personal use of the Company’s communication systems. However, any personal use of the Company’s communication systems is subject to all the provisions of this policy.

b. Unacceptable Uses of the Internet and e-mail systems

The Company’s Internet access and e-mail systems may NEVER be used in any of the following ways:

• To harass, intimidate, or threaten another person.
• To access or distribute obscene, abusive, libelous, or defamatory material.
• To distribute copyrighted materials that are not authorized for reproduction/distribution.
• To impersonate another user or mislead a recipient about your identity.
• To access another person’s e-mail, if not specifically authorized to do so.
• To bypass the systems’ security mechanisms.
• To distribute chain letters.
• To participate in political or religious debate.
• To automatically forward messages (e.g., with mailbox rules) to Internet e-mail addresses.
• To communicate the Company’s official position on any matter, unless specifically authorized to make such statements on behalf of the Company.
• For any purpose which is illegal, against Company policy, or contrary to the Company’s best interests.
• To pursue an individual’s business interests that are unrelated to the Company.
• To conduct any type of personal solicitation.

3.Retention of Business Records Sent via E-mail

Messages and documents transmitted by e-mail are similar to paper documents and other forms of correspondence in that they may be considered official business records of the Company and are therefore subject to the Company’s records management policy.
To determine whether an e-mail message must be retained and for how long, it may be helpful to think of the message as if it had been a paper memo or document. If you would be required by the records management policy to retain that memo, then you are required to retain that e-mail message for the same length of time.
The originator/sender of the message (or the recipient of a message if the sender is outside the Company) is the person responsible for retaining the message. E-mail messages may be retained in electronic form in the mailbox, or printed and filed along with other documents related to the same topic or project. Users may delete messages that they are not required by the records management policy to retain or that are being retained in printed form.
As with all business records, e-mail may be subject to discovery in the event of litigation. As with all communications, colleagues should avoid saying anything that might appear inappropriate or that might be misconstrued by a reader.

1. System and Technical Considerations

The Company’s e-mail and Internet access systems do not have unlimited transmission or storage capacity. For this reason, it is necessary to establish some limits on message size, mailbox size, and volume of messages. Some of these limits are configured in the system, while others depend on judicious use of e-mail features.

a. Message Size

Messages, including attachments, should not exceed two megabytes (sometimes indicated as 2 MB or 2000K). Use file compression utilities such as PKZip or WinZip on large files to reduce their size before attaching them to a message. Do not include clipart or other graphics in auto-signatures.
For very specific business reasons, such as the recurring exchange of large spreadsheets or other working documents between the Corporate Office, Group and Division Offices, and affiliated facilities, users may request authorization to routinely send larger files. In peak traffic times, it may be necessary for the system administrators to stagger or delay the delivery of large messages until after normal business hours.

b. Internet Distribution Lists (“ListServs”)

Internet distribution lists (often called ListServs) are the Internet's version of electronic mailing lists and newsletters. "Subscribers" to a list on a given topic will receive e-mail relating to that topic and can generally contribute additional information or questions for redistribution to subscribers.
Colleagues may subscribe to lists on topics relevant to their work at the Company. However, posting to discussion lists or other online discussion forums is subject to the restrictions concerning representing the Company on-line. Unless a colleague has been told that he or she is specifically authorized to speak to the press or comment publicly on behalf of the Company, a colleague is not authorized to represent the Company in lists or online discussions. Any posts or replies should indicate that they reflect the colleague’s own opinions and not those of the Company. The Information Systems Department, at its discretion, may restrict ListServs generating excessive e-mail volume.

c. Computer Viruses

Electronic communications are a potent source of computer viruses. E-mail messages themselves are not infected, but the programs, documents, and other files attached to them can infect PCs when the attachments are opened or the programs are executed. Similarly, files that are downloaded from the Internet or bulletin board systems may infect PCs with harmful viruses. For this reason, it is essential that all e-mail and Internet users have the Company’s standard anti-virus utility properly installed and running on their PCs.
Internet e-mail is also a frequent source of misinformation about supposed viruses, sometimes called hoax viruses or nuisance viruses. The creators of these hoaxes are generally trying to waste one’s time and consume the Company’s e-mail system resources with unnecessary activity. Typically, these messages resemble chain letters, describing a dire consequence if one opens an e-mail message with a specific subject line and suggesting that one should warn everyone possible by e-mail about this problem. PCs cannot become infected by a virus simply by opening a message. To inquire about a virus warning’s authenticity, consult the IS department or other PC support resource. Do not forward the message to a large number of users.

5.Sanctions

Adherence to this electronic communication policy is neither voluntary nor optional. Violation of this policy is grounds for disciplinary action up to, and including, termination of employment or contractor status and/or legal action.
REFERENCES: Appropriate Access Policies, IS.AA.001 through IS.AA.015
Copyright Policy, LL.GEN.002
Records Management Policy, EC.014
IS Security Policy, IS.SEC.001
Code of Conduct, “Electronic Media,” page 9.