Skip to main content

Internet and Email Use Policy

PURPOSE

To ensure that the use of email and internet activities do not negatively impact the confidentiality, availability, integrity, and reputation of iEHR and their assets and to ensure compliance with applicable federal and state laws. An authorized user's access to the Internet and/or email services for limited personal use is a privilege that, if not properly monitored and controlled, could result in harm to the organization or violations of certain federal and state laws. The primary use of these services is for business and clinical purposes and thus need be appropriately protected.

DEFINITIONS

  1. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.
  2. Sensitive Information or Data: Any information that may only be accessed by authorized personnel. It includes Protected Health Information, financial information, personnel data, trade secrets, and any information that is deemed confidential or that would negatively affect iEHR if inappropriately handled.
  3. Email: The electronic transmission of information through a mail protocol such as SMTP, POP, or IMAP.
  4. User: any employee or other person authorized by iEHR to read, enter or update information created or transmitted via the electronic mail system.

PROCEDURE

  1. Internet Usage
    1. Users are responsible for reporting any suspected or confirmed violations of this policy to their department manager or the Security Officer.
    2. Users shall have no expectation of privacy in email and internet use. iEHR may monitor messages and internet use without prior notice.
    3. Users shall not misuse their Internet privileges, i.e., spending excessive time on the Internet for non-work related business or accessing inappropriate sites.
    4. Users shall not photograph, post, or transmit patient images, electronically or otherwise, without a signed consent.
    5. Users shall not share sensitive information or PHI on public web sites (i.e., Google Apps, DropBox.com, GoogleDocs, iCloud, etc.).
    6. iEHR reserves the right to block access to non-business-related material.
    7. Users shall honor all rules of copyright and personal property
    8. Users shall not knowingly download non-work-related executable files from the Internet.
    9. Users shall not establish peer-to-peer connections to external parties for file sharing, downloading music and movies, and accessing adult materials.
    10. Users shall not knowingly enable an external/remote party to gain unauthorized access or control of any device, application, or system to the data networks.
    11. The use of any software or service that hides the identity of the user or the location of the user while using the Internet is prohibited.
  2. Email Usage
    1. All email messages, documents, and correspondence and data obtained via internet use are considered iEHR property.
    2. Organization email is solely for business purposes. Do not use work email for personal reasons.
    3. Users shall not misuse their email privileges, i.e., sending and forwarding non-business related mass emails.
    4. Users shall delete chain and junk email messages without forwarding or replying to them. Electronic chain letters and other forms of non-business related mass mailings are prohibited.
    5. Personnel shall not use iEHR resources to view, record, or transmit materials which violate iEHR policies. Inappropriate messages, pictures, and/or other visual images/materials include, but are not limited to:
      1. Fraudulent messages - Messages sent under an anonymous or assumed name with the intent to obscure the origin of the message.
      2. Harassment messages - Messages that harass an individual or group for any reason, including race, sex, religious beliefs, national origin, physical attributes, or sexual preference.
      3. Obscene messages - Messages that contain obscene or inflammatory remarks.
      4. Pornographic materials -This includes, but is not limited to pictures, audio/video files, literature, or newsgroups.
    6. Users shall not engage in spamming activities. Electronic chain letters and other forms of non-business-related mass mailings are prohibited.
    7. Users shall not forward email containing sensitive information or PHI to public email systems such as Hotmail.com, gmail.com, or other public email system services. In addition, users shall not forward sensitive information, PHI, or other iEHR business information to their personal email accounts. Personal email accounts shall not be used for official iEHR business.
    8. The email message will include the following confidentiality notice:
      1. “This electronic message is intended to be for the use only of the named recipient, and may contain information that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately by contacting the sender at the electronic mail address noted above, and delete and destroy all copies of this message. Thank you.”
      2. Note: This confidentiality notice can be added to the signature block of your email signature if you currently use an automated signature.
    9. Email transmission of PHI when necessary shall be conducted with the highest level of security applied and only in situations where the email is necessary for the treatment of the patient, payment, and health care operations. PHI and other sensitive information shall be encrypted during transmission over the Internet (outside iEHR networks).
      1. When sending PHI via email certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending.
      2. PHI should not be transmitted in the subject line of the email message. This includes the name of a patient or a medical record number. If a message or an attachment to the message contains PHI, the subject line of the email message will reflect that the message contains PHI.
      3. Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.
    10. Users shall check their email regularly and delete unneeded email.
    11. Users shall delete, without opening, suspicious, unsolicited email messages from outside iEHR especially if they contain attachments with "exe" files. If a user is receiving repeat emails of this nature, the activity should be reported to the Security Officer.
    12. Only individuals with administrative responsibilities (i.e., Department Managers, Directors, etc.) or their designee may be granted access to the email account of their former employee or vendor. This may require written approval from requestor's supervisor.

      1. The account shall be used only for the retrieval of existing email and shall not be used to impersonate the former personnel or send email communications.

      2. Access shall be granted for 30 days and any extension must be approved by a Chief Information Security Officer.

ENFORCEMENT

Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction. In addition, UAB may report the matter to civil and criminal authorities as may be required by law.