14.32 Electronic Mail System (E-Mail) Security
14.32.1 POLICY STATEMENT
The Health Plan utilizes electronic mail (E-Mail) in transmitting individual and Health Plan information. Established security measures must be followed by all personnel who have the authority to access, use, or transmit protected health information (PHI) electronically.
14.32.2 POLICY INTERPRETATION AND IMPLEMENTATION
| Application of Policies | This policy applies to all usage of e-mail systems related to the Health Plan whether or not the e-mail is originated from or is received into the computer or network system used by the Health Plan. Such policies apply to all authorized users including employees, business associates, staff or consultants. |
| Definition of Authorized User | For the purposes of this policy, an “authorized user” is defined as any person who (1) has been assigned a password and user ID code and (2) has the authority to read, enter, or update information created or transmitted by the Health Plan. |
| Personal Use or E-Mail and Internet Systems | Users have the responsibility and obligation to use e-mail and internet systems appropriate, effectively, and efficiently. Incidental personal use is permissible if:Personal use is limited to meal and break times;It does not interfere with the normal business use of such services;It does not interfere with the work productivity of the user or other employees; andPasswords and user ID codes are not shared with others. |
| Improper Use of Health Plan’sE-Mail or Internet Services | Improper use of e-mail and internet services is strictly prohibited. Examples of such improper use include, but are not limited to:Sending/forwarding harassing, insulting, defamatory, obscene, offending or threatening messages;Gambling, surfing or downloading pornography;Downloading or sending confidential individual or PHI without proper authorization;Copying or transmission of any document, software or other information protected by copyright and/or patent law, without proper authorization;Transmission of highly sensitive or confidential information (e.g., HIV status, mental illness, chemical dependency, workers’ compensation claims, etc.);Obtaining access to files or communication of others without proper authorization;Attempting unauthorized access to individual or Health Plan data;Attempting to breach any security measure on any of the Health Plan’s electronic communication system(s);Attempting to intercept any electronic communication transmission without proper authorization;Misrepresenting, obscuring, suppressing, or replacing an authorized user’s identity;Using e-mail addresses for marketing purposes without permission from the recipient(s);Using e-mail system for solicitation of funds, political messages, or any other illegal activities; and/orReleasing of passwords and user ID codes |
| Ownership of E-Mail Messages | Messages whether originated or received into the Health Plan e-mail system are considered to be the property of the Health Plan and, therefore, are subject to the review and monitoring of the HIPAA Privacy Officer. The Health Plan reserves the right to access employee e-mail (whether present or not) for the purposes of ensuring the protection of individual/Health Plan information. |
| Inadvertent Access to E-Mail | During routine maintenance, upgrades, problem resolution, etc. information systems technician(s) may inadvertently access user e-mail communications. Such staff, when carrying out their assignments, will not intentionally read or disclose content of e-mail unless such data is found to be in violation of the HIPAA Policies and Procedures. |
| Protection of Information | Users of the e-mail system must ensure that all information forwarded, distributed, or printed is protected according to the HIPAA Policies and Procedures. |
| Maintaining/Archiving E-Mail Messages | E-mail messages may not be maintained or archived for more than thirty (30) days, unless otherwise approved by the HIPAA Privacy Officer. |
| Record Retention | A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. |
| HIPAA Privacy Officer | The HIPAA Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The HIPAA Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. If you have a question or concern about your HIPAA rights contact the HIPAA Privacy Officer during regular business office hours Monday through Friday, except holidays at (651) 696-6280. |
| Violations | Violations of this policy will be subject to discipline. |