1.170 Access to Electronic Data

Op10.04-22 Access to Electronic Data

Purpose

It is the policy of Missouri State University to secure our patient’s protected health information in compliance with federal law and federal regulations at 45 CFR 164.530( c)(1) and (2), and 42 CFR Part 2. To assist in assuring that protection, it is the practice of Missouri State to assure that its workforce recognizes the importance of such security provisions, and affirmatively acknowledge those guidelines.

Application

Applies to Missouri State University, its Health Care Components (HCC) and workforce.

  1. Contents
    1. Definitions
    2. General
    3. User Access to HCC Data
    4. Training on Access
    5. Required Confidentiality Agreement
    6. Password Management
    7. Policy control
    8. Sanctions
  2. Definitions
    1. Computer Systems: Computers connected to local and statewide communication networks, database storage or electronic records systems, Internet or email.
    2. Missouri State Network: Electronic network allowing access to the Missouri State’s personal computers, facility-based systems, and centrally-based systems (e.g., AS/400, Windows 2000 Server, Mainframe, etc.) and electronic data.
    3. Local Area Network: Electronic network access allowing access to an individual facility’s electronic data and computers.
    4. Network attached computer: Any computer with access to a local area network and/or the Missouri State network.
    5. Missouri State Workforce: Includes employees, volunteers, contract workers, trainees and other persons who are in a Missouri State HCC on a regular course of business. This shall include students, faculty and staff employed by Missouri State.
    6. Patient: Any individual who has received or is receiving services from a HCC operated by Missouri State.
    7. Restricted Access: Computer systems with access limited to specific systems, activities, or files.
    8. Confidentiality Agreement: Agreement between any business partner with which Missouri State shares patient data which sets forth confidentiality requirements and limitations necessary for working with patient, HCC, and Missouri State’s information.
    9. Security Officer (SO): Individual designated by Missouri State to oversee all activities related to the development, implementation, maintenance of, and adherence to university policies and procedures covering the electronic and physical security of, and access to, protected health information and other Missouri State data in compliance with federal and state laws and regulations.
    10. Media: Backup tapes, hard drives, floppy diskettes, CDs, DVDs, zip drives cartridges, optical, and paper hard copies.
    11. Protected Health Information (PHI): Individually identifiable health information. See HIPAA Procedure 1.005, 1.b. and c.
  3. General
    1. Administrator’s Right to Access Information
      1. Pursuant to the Electronic Communications Privacy Act of 1986 (18 USC 2510, et seq.), the university has complete access to all email and Internet activities. No electronic communications sent or received are considered private to the employee. The university has the right to monitor messages and Internet use as necessary to assure efficient and appropriate use of the technology.
      2. Each of the electronic communications technologies may create electronic records that are easily saved, copied, forwarded, retrieved, monitored, reviewed, and used for litigation. All electronic records are the property of Missouri State and can be accessed and used by administration, including:
        1. A legitimate need exists; or
        2. There is reasonable cause to suspect criminal activity or policy violations; or
        3. Law, regulation, or third-party agreement requires such monitoring.
      3. These disclosures of electronic records may be made without prior notice to the staff members who sent or received the communications. Employees and students should not assume any electronic communication or storage to be private.
  4. User Access to Electronic HCC Data
    1. To gain access to any HCC protected health care information, Missouri State workforce members who are not otherwise permitted access pursuant to these regulations or law are required to complete the Missouri State Staff Access Request Form. Such access shall be limited to the minimum necessary amount of protected health information to accomplish the purpose of any requested use or disclosure of PHI.
      1. The appropriate supervisor or Unit Privacy or Security Officer must approve the request(s) in writing.
      2. The request form(s) must be submitted each time a user’s access status changes or a user leaves the university.
      3. Users will be assigned a role-based unique user ID by the appropriate IT staff.
      4. User IDs will be password protected.
      5. Network passwords will expire every 120 days.
    2. Users shall be required to protect confidential data pursuant to all Missouri State policies.
    3. Missouri State shall maintain a Disaster Recovery Plan, approved by the University Security Officer to assure continued operations in the event of an emergency.
    4. No Missouri State patient or volunteer shall have access to another person’s PHI or any other Missouri State patient demographic system, or be allowed to input information to local systems that may be used to feed or modify those systems unless they are employed by the health facility as defined by policy and have signed the confidentiality statement, or unless authorized by the patient or as otherwise authorized by the regulations or law. Any proposed patient access shall include documentation of the patient reviewing and agreeing to a confidentiality statement. Documentation shall include: the types of systems and files accessed.

      Such patient access shall be approved by the HCC director.
  5. Access to Electronic Media – Internet and Electronic Mail
    1. Users are required to abide by the Missouri State Computer Use (IT) policies when using University information technology resources. See Missouri State IT Policies web page.
    2. Electronic mail and/or the Internet may not be used for (the following are summaries of Missouri State IT policies – see the policies for specific policy language):
      1. Any illegal or unethical purpose;
      2. Private purposes such as advertising products or services, business transactions, or for private business activities;
      3. Operating a business, sending chain letters, or soliciting money for any purpose;
      4. Transmitting, downloading or viewing material that is obscene, pornographic, threatening or harassing, or information that may be perceived to be obscene, threatening or harassing to another individual;
      5. Disseminating, copying, or printing copyrighted materials (including articles, software, music and movies) in violation of copyright laws;
      6. Subscribing to mailing lists and broadcast services that do not relate to the business of the University; or
      7. Participating in Internet chat rooms or instant messaging, including but not limited to AOL Instant Messenger and Internet Relay Chat (IRC).
  6. Training on Access. All Missouri State HCC workforce members must receive the privacy training required by policy.
  7. Required Confidentiality Agreement
    1. Workforce members that receive or maintain PHI shall be required to agree to the security of such PHI in accordance with the state and federal laws as set forth above. These students, faculty and staff members shall sign a confidentiality statement pursuant to policy. A copy of the signed confidentiality statement shall be maintained in the personnel file of Missouri State staff.
  8. Password Management
    1. Passwords shall not be shared.
    2. Passwords shall be changed immediately if user is aware that someone else knows it.
    3. Users shall not change their passwords while others are present.
    4. Passwords shall contain six to eight characters.
    5. Passwords should have no connection to the user. i.e., user name, children’s name, etc.
    6. Passwords contain alpha or numeric characters
    7. Passwords may contain both upper and lower case characters.
    8. The password should be changed completely when it expires.
  9. Sanctions. Failure of student faculty and workforce members to comply or assure compliance with the policy may result in disciplinary action, including dismissal.
  10. Review Process. The University Privacy Officer will collect information from the Unit Privacy Officers during the month of April each year beginning in 2004 for the purpose of providing feedback to the HIPAA Management Team as to compliance with the procedure and any proposed modification or recommendation that additional training be implemented.

HISTORY: Effective March 21, 2003