Computer, Internet and E-Mail Usagepolicy

Computer, Internet and E-Mail UsagePolicy

Policy

<Covered entity name/Business Associate name (“Company”) > will provide Employees and other members of the workforce with access to the Internet for the purpose of enhancing the productivity of Employees and other members of the workforce in conducting Company’s related work tasks. Internet access may include appropriate research and database searches, use of Internet or Web based applications that have been approved for use by the Company, approved data and secure data exchanges such as:

web-based electronic health record
claims clearinghouse
health plan eligibility verification system
patient or health plan member portal
health information exchanges
electronic mail correspondence with other Company Employees and members of the workforce.

Internet and internal e-mail services accessed from Company computer systems should only be used for purposes that directly, or indirectly, relate to Company’s business activities.

Company provides computers and electronic devices including smartphones and tablets, and systems including electronic mail (e-mail) and voice-mail for the use of Employees and other members of the workforce in the efficient and professional conduct of Company business. These systems are the property of the Company and as such, the Company reserves the right to access information stored in these systems when necessary.

Authorized personnel of the Company may have access to any Company property, including the contents or information contained therein (whether closed, locked or accessed through personal codes), which are located on or in computers and devices that contain Company information.

Information that may appear to have been erased or deleted from files, computers or other information systems may still exist and be accessible by the Company. If deemed necessary, the Company reserves the right to inspect e-mail messages and disclose said content to outside entities or law enforcement agencies.

Employees and other members of the workforce are advised not to enter personal information in the e-mail or voice-mail systems or other applications on or in Company computers and devices including on Company applications that are hosted via the Internet, or in private “clouds” or data centers, which they do not wish subject to this policy. Employees and other members of the workforce are advised to inform others of this policy who may have occasion to leave personal messages or property for them at any Company-related premises or through any Company–related electronic systems.

All programs or documents downloaded from the Internet or received via e-mail must be scanned by the standard virus protection software before being used. If information is downloaded from the Internet, any associated terms and conditions specified by the supplier of the information must be adhered to. Employees are not allowed to download programs or applications unless they have received permission to do so from [supervisor] [security official] [IT department].

Employees and members of the workforce are not allowed to use Company provided computers or other devices to access personal emails, engage in personal instant messaging or chatting or other non-Company approved applications.

Employees and members of the workforce are not allowed to use Company provided computers or other devices to participate in social media such as Facebook or Twitter unless this access has been approved as part of the Employee/workforce member’s job requirements and approved by [supervisor] [security official].

Employees and members of the workforce are advised not to use personal computers and other devices to access Company applications, email and other systems unless these devices have been configured and approved by the Company.

Employees and members of the workforce are asked not to use public computers or public networks to access Company applications unless this has been approved by [security official] [IT department].

To limit the likelihood of an infected or corrupted data file being downloaded on our networks, or for a virus or other malware from being introduced Employees and other members of our workforce are asked to refrain from using any personal application or software, accessing personal email accounts, or downloading or accessing (opening) music or files; these tasks should never be conducted on any computer while a Company software application is open or in use that contains or might contain Protected Health Information or any proprietary and confidential Company or patient/plan member information.

Information used on the Internet should not violate the terms and conditions of the Digital Millennium Copyright Act and other similar laws or those of copyright law. If you do not understand or are unsure of these copyrights, please speak to the Security official.

Internet services should not be used to obtain unauthorized information or information that is personal or private to another individual or organization. If such material is accidentally received or obtained, its contents should not be discussed or disseminated except to the intended recipient. Employees and other members of the workforce must not visit pornographic or similar sites. These sites may install malicious software code on our computers and violate Company’s policy regarding professional conduct. If an employee accidentally visits such a site or is concerned that any site has installed malicious software code, immediately inform your [supervisor] [security official].

At no time may Employees and other members of the workforce make entries to Blogs (web logs), participate in chat rooms, or submit entries to websites that are available to non-Company Employees and other members of the workforce or authorized contractors that reference Company Employees and other members of the workforce, former Employees and other members of the workforce, officers, directors, shareholders, or partners or any Company policies, procedures, or business practices, either directly or indirectly. Any such activities are violations of Company confidentiality policies.

Employees and other members of the workforce should be aware that e-mail (whether internet or internal) is not private and that messages can be intercepted, forged, forwarded to outside persons, or misused without the sender’s consent or knowledge. E-mail should not be used for highly confidential business or used in lieu of contracts or formal agreements.

Employees and other members of the workforce should not send PHI via email unless the email is encrypted, or as otherwise approved by the IT Department, the privacy or security Official. In limited cases email containing the patient’s electronic health record notes may be sent if the patient has been advised of the risks of use of email and each case is approved by the privacy or security official.[Note: Many covered entities are not allowing email use for PHI transmittal as a blanket policy. If you allow email use to transmit PHI be sure to have in place the technology to encrypt and secure the email as well as the procedures for this in the Procedure Manual.]

Employees and other members of the workforce should never open email messages or download any email attachments that are from unknown sources. These attachments may contain malicious viruses or otherwise compromise the security of our information systems. Employees and other members of the workforce are cautioned to be alert to “phishing” scheme emails that appear to be from a legitimate source or have legitimate content but ask for passwords or log in codes, or attempt to redirect the user to a suspicious website or link. Such schemes often have email from addresses that are suspicious. If an email is accidentally opened or an attachment is accidentally downloaded that contains malicious software code, or you suspect contains malicious software code, immediately inform [supervisor] [security official].

E-mail may not be used to solicit others for commercial ventures, religious or political causes, outside organizations, or other non-business matters.

Employees and other members of the workforce must adhere to Company’s professional conduct standards and ensure that they do not use Internet services or internal e-mail for illegal or offensive activities. This policy prohibits the inclusion of any discriminatory, offensive, hostile, intimidating, or self-incrimination material in e-mail messages.

Employees and other members of the workforce are prohibited from installing any foreign media on their computers without the permission of the [security official]. This includes CD-ROMs, DVD’s, USB storage drives, MP3 files (via an MP3 player or other device such as an iPod®), backup devices and so forth.

Company often purchases and licenses the use of various computer software for business purposes and does not own the copyright to this software or its related documentation. Unless authorized by the software developer, Company does not have the right to reproduce such software for use on more than one computer. No software owned by an employee shall be installed on a Company owned computer without permission from licensing authority and permission of the [security official].

Employees and other members of the workforce may only use software on local area networks or on multiple machines according to the software license agreement. Company prohibits the illegal duplication of software and its related documentation.

Passwords and user log-on identification codes are designed to safeguard the confidentiality, integrity and availability of the computer networks and their data. Employees and other members of the workforce must adhere to all password management procedures, including but not limited to; never sharing a password with any other person except for [security official, Physician in charge, IT Director], changing passwords at regular intervals as specified by the Security Procedure Manual, using strong passwords that are a combination of letters, numbers and symbols, and not writing down passwords where they can easily be found.

Employees and other members of the workforce are not allowed to change settings on their computers (such as control panel settings, screen timeouts etc.) unless they have permission from the [security official].

Employees and other members of the workforce must run any updates or back-ups as prompted by the system; all concerns about this should be directed to the [IT manager] [security officer].

Employees and other members of the workforce must turn off their computer or otherwise log it off when they are leaving for the day or for an extended time period, or when trained to do so at a more frequent time frame (for example whenever leaving a workstation unattended).

Employees and other members of the workforce should notify the [IT department] [security official] if they notice their computer slowing in performance, or any other suspicious operations.

Company owned computers and devices, with the exception of laptops intended for use both inside and outside Company offices or common to a group, shall not be removed from the premises.

Laptops and Smartphones or Tablets use must follow these policies. All laptops, Smartphones and Tablets must use unique logins and passwords where permitted by the device. Laptops, Smartphones and Tablets must not be left in public areas unattended and must at all times be securely handled by the employee or member of the workforce. Such devices may be encrypted by Company.

Laptops, Smartphones or Tablets used in public places such as airplanes should be shielded from view by unauthorized persons. Laptops, Smartphones or Tablets used at the employee or member of the workforce’s residence or home must be kept secure from theft as well as use or incidental viewing by unauthorized persons such as family members. All laptops, Smartphones or Tablets should be set to log off at short time periods of inactivity and these settings should not be altered without the approval of the security official.

Employees and other members of the workforce are not allowed to discard, destroy or remove any computers, Smartphones, Tablets or computer media (backups tapes, discs, USB storage drives, etc.) without the permission of the [security official].

Employees and other members of the workforce should notify the [security official, privacy official, CEO etc.] upon learning of violations of this policy. Employees and other members of the workforce who violate this policy will be subject to disciplinary action, up to and including termination of employment.