How To Contain Confidential Or Sensitive Information
I. Purpose
The goal of this policy is to define and establish standards and procedures for the receipt and removal of hardware and electronic media that contain confidential or sensitive information.
II. Scope and Limitations
This policy applies to all Topaz workforce members.
III. Related Policies Name and Number
None
IV. Definitions
None
V. Procedures
A. Accountability Procedures
1. Topaz does not store or maintain e-PHI on any equipment or media. However, Company sensitive and confidential information may be stored on electronic device and media. All workforce members log into a client’s network environment and systems to access, process and transmit e-PHI as needed to provide health information services.
2. All media that …show more content…
arrives at Topaz must remain in the protective packaging until ready for use. Only authorized individuals are provided access to the media.
3.
When media that contains confidential or sensitive information is created, received or moved within or outside of the organization, its movement and the name of the workforce member responsible for that movement must be documented. Such documentation must include the workforce member’s name, the information affected, the reason for the movement, and the date and time.
4. If media that contains confidential or sensitive information is to be transferred to an off-site location, the data on the media should be encrypted, and the encryption and decryption keys are to be protected with the same care as the data.
5. Media tracking mechanisms are utilized to track the accountability of media into and out of Topaz.
6. When a device or media containing confidential or sensitive information is released for off-site maintenance or storage, a legally binding contract for the management of the information must be in place to protect the confidentiality of the data.
B. Data Backup and Storage Procedures
1. All confidential or sensitive information is backed up through the data center. When required a media may be utilized to backup sensitive and confidential information, all use of media and removable storage for backup must be pre-approved by the IT Supervisor and/or Chief Product and Technology Officer. Such media will be managed in accordiance with these …show more content…
procedures.
2. Media containing confidential or sensitive information, must be stored in a physically separate environmentally appropriate location such as a Data Center or at a safe location.
3. Backups of all confidential or sensitive information must be created in an encrypted format.
4. Restore procedures must be tested to verify that backups valid and restorable.
C. Media Re-Use
Any equipment or storage media that contain confidential or critical information will be erased before the equipment/media is reused. Proper destruction of data includes overwriting the entire media at least once with pseudorandom data, physical destruction or degaussing.
D.
Disposal
1. Disposal procedures of all IT assets and equipment will be centrally managed and coordinated by the IT Department. The IT Department is also responsible for backing up and wiping company data on all IT assets slated for disposal as well as the removal of company tags and/or identifying labels.
2. All devices and media that contain confidential or sensitive information should be destroyed by overwriting the entire media at least once with pseudorandom data, degaussing or physical destruction of the device or media.
3. Media or information system disposal vendor may be utilized to dispose of device or media. A business associate agreement or contract confirming confidentiality the information in he device or media this destruction must be executed between Topaz and the chosen disposal vendor. The devices or media to be disposed of must be marked as containing confidential or sensitive information before it goes off site for disposal.
4. The IT Department is also responsible for acquiring credible documentation from the contracted disposal vendor that are contracted to conduct the data wiping, tag or label removal or any other part of the disposal process.
E. Mobile Device
Procedures
Additional safeguards and procedures are required for mobile devices capable of storing confidential or sensitive information such as smart phones, tablets, etc.
1. Email enabled devices are allowed as a supplemental delivery method but are not intended to completely replace the Company’s email application.
2. All data transferred from the Company’s network and applications remain the property of the Company and come under the BYOD Policy and Confidentiality Agreement signed by each workforce member (regardless of whether the individual paid for the device personally or was reimbursed for the item as an office expense).
3. Files or applications used to store the Company system passwords, safe combinations, pass phrases, PINS, etc. must be encrypted, or password protected themselves.
4. Confidential or sensitive electronic information may not be stored locally on a mobile device.
5. End users are expected to take reasonable steps to prevent the loss or theft of mobile devices use for business operations.
6. Loss or theft of a mobile device used for business operation should be reported to the workforce member’s Immediate Supervisor, IT Supervisor, and the Compliance Director within 24 hours.
7. In the event t of loss or theft, automatic clean wipe or remote kill software will be used to destroy all data on the mobile device containing confidential or sensitive electronic information.
VI. Responsibilities
VII. Required Forms/Attachments
VIII. Distribution
IX. References
None
The goal of this policy is to define and establish standards and procedures for the receipt and removal of hardware and electronic media that contain confidential or sensitive information.
II. Scope and Limitations
This policy applies to all Topaz workforce members.
III. Related Policies Name and Number
None
IV. Definitions
None
V. Procedures
A. Accountability Procedures
1. Topaz does not store or maintain e-PHI on any equipment or media. However, Company sensitive and confidential information may be stored on electronic device and media. All workforce members log into a client’s network environment and systems to access, process and transmit e-PHI as needed to provide health information services.
2. All media that …show more content…
arrives at Topaz must remain in the protective packaging until ready for use. Only authorized individuals are provided access to the media.
3.
When media that contains confidential or sensitive information is created, received or moved within or outside of the organization, its movement and the name of the workforce member responsible for that movement must be documented. Such documentation must include the workforce member’s name, the information affected, the reason for the movement, and the date and time.
4. If media that contains confidential or sensitive information is to be transferred to an off-site location, the data on the media should be encrypted, and the encryption and decryption keys are to be protected with the same care as the data.
5. Media tracking mechanisms are utilized to track the accountability of media into and out of Topaz.
6. When a device or media containing confidential or sensitive information is released for off-site maintenance or storage, a legally binding contract for the management of the information must be in place to protect the confidentiality of the data.
B. Data Backup and Storage Procedures
1. All confidential or sensitive information is backed up through the data center. When required a media may be utilized to backup sensitive and confidential information, all use of media and removable storage for backup must be pre-approved by the IT Supervisor and/or Chief Product and Technology Officer. Such media will be managed in accordiance with these …show more content…
procedures.
2. Media containing confidential or sensitive information, must be stored in a physically separate environmentally appropriate location such as a Data Center or at a safe location.
3. Backups of all confidential or sensitive information must be created in an encrypted format.
4. Restore procedures must be tested to verify that backups valid and restorable.
C. Media Re-Use
Any equipment or storage media that contain confidential or critical information will be erased before the equipment/media is reused. Proper destruction of data includes overwriting the entire media at least once with pseudorandom data, physical destruction or degaussing.
D.
Disposal
1. Disposal procedures of all IT assets and equipment will be centrally managed and coordinated by the IT Department. The IT Department is also responsible for backing up and wiping company data on all IT assets slated for disposal as well as the removal of company tags and/or identifying labels.
2. All devices and media that contain confidential or sensitive information should be destroyed by overwriting the entire media at least once with pseudorandom data, degaussing or physical destruction of the device or media.
3. Media or information system disposal vendor may be utilized to dispose of device or media. A business associate agreement or contract confirming confidentiality the information in he device or media this destruction must be executed between Topaz and the chosen disposal vendor. The devices or media to be disposed of must be marked as containing confidential or sensitive information before it goes off site for disposal.
4. The IT Department is also responsible for acquiring credible documentation from the contracted disposal vendor that are contracted to conduct the data wiping, tag or label removal or any other part of the disposal process.
E. Mobile Device
Procedures
Additional safeguards and procedures are required for mobile devices capable of storing confidential or sensitive information such as smart phones, tablets, etc.
1. Email enabled devices are allowed as a supplemental delivery method but are not intended to completely replace the Company’s email application.
2. All data transferred from the Company’s network and applications remain the property of the Company and come under the BYOD Policy and Confidentiality Agreement signed by each workforce member (regardless of whether the individual paid for the device personally or was reimbursed for the item as an office expense).
3. Files or applications used to store the Company system passwords, safe combinations, pass phrases, PINS, etc. must be encrypted, or password protected themselves.
4. Confidential or sensitive electronic information may not be stored locally on a mobile device.
5. End users are expected to take reasonable steps to prevent the loss or theft of mobile devices use for business operations.
6. Loss or theft of a mobile device used for business operation should be reported to the workforce member’s Immediate Supervisor, IT Supervisor, and the Compliance Director within 24 hours.
7. In the event t of loss or theft, automatic clean wipe or remote kill software will be used to destroy all data on the mobile device containing confidential or sensitive electronic information.
VI. Responsibilities
VII. Required Forms/Attachments
VIII. Distribution
IX. References
None