HIPAA Core Policy: Internet and eMail Use
| Review/Revised Date: 02/02/2023 Category: Ethics and Integrity
Policy Owner: Provost
| |
HIPAA Core Policy: Internet and eMail Use
| Review/Revised Date: 02/02/2023 Category: Ethics and Integrity
Policy Owner: Provost
| |
1. PURPOSE: To ensure that the use of email and internet activities do not negatively impact the confidentiality, availability, integrity, and reputation of UAB and UAB Medicine Enterprise and their assets and to ensure compliance with applicable federal and state laws.
2. APPLICABILTY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time), and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital; The Kirklin Clinic of UAB Hospital; The Kirklin Clinic of UAB Hospital at Acton Road; Whitaker Clinics of UAB Hospital; UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise; Triton Health Systems, LLC; VIVA Health, Inc.; the University of Alabama Health Services Foundation, P.C.; Ophthalmology Services Foundation, P.C.; Valley Foundation; and other UAB Medicine Enterprise managed entities that may be added from time to time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”
3. DEFINITIONS:
3.1. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
3.2. Sensitive and Restricted Information or Data: Sensitive data is data that should be kept confidential; access to these data shall require authorization and legitimate need-to-know. Restricted data is sensitive data that is highly confidential in nature and carries significant risk from unauthorized access; privacy and security controls may be required by law or contract. PHI is restricted data.
3.3. Email: The electronic transmission of information through a mail protocol such as SMTP, POP, or IMAP.
4. POLICIES:
4.1. All email messages, documents, and correspondence and data obtained through UAB network resources are considered UAB property.
4.2. Users shall have no expectation of privacy in email and internet use.
4.3. UAB may monitor messages and internet use without prior notice.
4.4. Users are responsible for reporting any suspected or confirmed violations of this policy to their department manager or either the UAB Information Security Office or the UAB Medicine Office of Information Security.
4.5. Users shall not misuse their Internet privileges, i.e., spending excessive time on the Internet for non-work related business or accessing inappropriate sites.
4.6. Users shall not misuse their email privileges, i.e., sending and forwarding non-business related mass emails.
4.7 Users shall delete chain and junk email messages without forwarding or replying to them. Electronic chain letters and other forms of non-business related mass mailings are prohibited.
4.8. Personnel shall not use UAB resources to view, record, or transmit materials which violate UAB policies. Inappropriate messages, pictures, and/or other visual images/materials include, but are not limited to:
4.8.1. Fraudulent messages - Messages sent under an anonymous or assumed name with the intent to obscure the origin of the message.
4.8.2. Harassment messages - Messages that harass an individual or group for any reason, including race, sex, religious beliefs, national origin, physical attributes, or sexual preference.
4.8.3. Obscene messages - Messages that contain obscene or inflammatory remarks.
4.8.4. Pornographic materials -This includes, but is not limited to pictures, audio/video files, literature, or newsgroups.
4.9. Users shall not engage in spamming activities. Electronic chain letters and other forms of non-business-related mass mailings are prohibited.
4.10. Users shall not photograph, record, post, or transmit patient images or information, electronically or otherwise, unless doing so is in accordance with an approved use or disclosure and approved methods for doing so are utilized.
4.11. Users shall not share sensitive or restricted information including protected health information (PHI) to any cloud provider that has not been approved by the Information Security Office.(Including but not limited to: Google Apps, DropBox.com, GoogleDocs, iCloud, etc.).
4.12. Users shall not send or forward email containing sensitive or restricted information including protected health information (PHI) to public email systems (Including but not limited to: Hotmail.com, gmail.com), where a BAA or approval from the Privacy Office is not in place.
4.13. Personal email accounts shall not be used for official UAB business.
4.14. UAB reserves the right to block access to non-business related material.
4.15. Email transmission of PHI, if necessary, shall be conducted with the highest level of security applied and only in situations where the email is necessary for the treatment of the patient, payment, and health care operations. For users of the uabmc.edu email system only: To send email transmissions over the Internet (outside the UAB and UAB Medicine networks), PHI and other sensitive information shall be encrypted. Email shall not be transmitted over the Internet from any other email system unless/until an encryption method is approved for that email system.
4.16. Users shall comply with all laws related to copyright, intellectual and personal property.
4.17. Users shall check their email regularly and delete unneeded email.
4.18. Users shall not knowingly download non-work related executable files from the Internet.
4.19. Users shall not establish peer-to-peer connections to external parties.
4.20. Users shall not knowingly enable anyone to gain unauthorized access or control of any device, application, system, or resource.
4.21. Users shall report suspicious emails using the Report Phishing button or forward to phishing@uabmc.edu.
4.22. For the UAB Medicine network, the use of any software or service that hides the identity of the user or the location of the user while using the Internet is prohibited (including but not limited to proxy bypass, anonymization networks such as Tor, and VPN connections).
4.23. Individuals may be granted access to the email account of their former employee or vendor with Human Resources approval. This may require written approval from requestor’s supervisor.
4.23.1. The account shall be used only for the retrieval of existing email and shall not be used to impersonate the former personnel or send email communications on their behalf.
4.23.2. Access shall be granted for 7 days and any extension must be approved by a Chief Information Security Officer.
