Staff Development
and Health Sciences Library
<Return to Privacy Links page
Information Communication System Policy- Security and Confidentiality
A. ACCESS TO COMPUTERIZED RECORDS
Persons who require access to computerized patient/administrative information will be provided access based on an individual password and custom created menus. Users may not share their password with anyone. Passwords may not be publicly posted. All such activities violate the patient's legal and ethical right to privacy, and as such are a breach of security.
B. ACCESS MONITORING AND SAFEGUARDS
Each access session of the computerized information system is recorded in the system by individual password, name, date, time, location and data category. These records/audit reports provide the basis for analysis of attempts at inappropriate access. Further, attempts to access the system through incorrect passwords are logged immediately and provide a further tracking mechanism. Audit reports which are regularly reviewed are maintained by the Information Systems Department.
Each password is linked to custom-created menus and other electronic pathways that allow access to certain data as determined by the user's need to know requirements. Physicians are provided access to all available information on any patient assigned to their care. Nurses' access is limited to patients on their unit. Employees of the medical staff may access patients' records only of the practitioner or practitioner group with whom they are employed.
C. FINANCIAL/ADMINISTRATIVE INFORMATION
Password access to financial/administrative information will be limited to those whose job function requires they have the information. Information will be restricted by cost centre, patient grouping, program and/or division. This will require approval of the Finance Department.
D. CONSEQUENCES OF VIOLATIONS OF PATIENT CONFIDENTIALITY
Once a violation of confidentiality has been identified by the Information Systems Department and the Manager of the appropriate department, there will be an immediate suspension of the password. Additional consequences of such behaviour will be applied as follows:
• Hospital Employee/ Volunteers - This violation is subject to disciplinary action, up to and including termination, for the first offence. Password for the employee will be re-instated upon acceptance of a corrective action plan.
• Medical Staff - Consequences to be determined by the Medical Advisory Committee.
• Employee of the Medical Staff - Subsequent to determination of appropriate disciplinary action by the medical staff employer, possible reinstatement of password will be determined by the Medical Advisory Committee.
SECURITY
Access to The Brantford General Hospital's computer systems is granted to any hospital personnel when it is required to enable them to perform their job function.
When system access is granted by M.I.S., a login name is assigned to the user. The user will select a password the first time they log into the computer system to protect access to their account. The computer systems force password changes periodically for security reasons to protect the Hospital's computer systems. Under no circumstances shall passwords be shred or written down. A user will change their password if they feel it is no longer secure.
OWNERSHIP
All information obtained and any applications generated from the Hospital's computer systems shall be deemed the property of The Brantford General Hospital.
All new software acquisitions must have prior approval by the Management Information Systems Department.
Under no circumstances shall any employee bring in and install their own software on their local hard disk.
MAINTENANCE
Computer System maintenance and upgrades are scheduled at times that will least affect the users. It may become necessary to interrupt service during the normal work hours when third party companies need to be involved. Every effort will be made to provide notice of this in order that schedules can be changed to support the interruptions in service.
Access to the Novell network is disabled between midnight and five a.m. to streamline the backup process.
Access to the INTERNET (including e-mail) has been provided with the sole purpose of enabling Employees, Physicians, Dentists, Midwives and Volunteers (hereinafter referred to as “User(s)”) of The Brant Community Healthcare System at either the Brantford General site, the Willett site and all other such sites that come under the Brant Community Healthcare System, to perform their jobs better. We encourage respective users to utilize the INTERNET:
• To communicate with fellow Users and clients regarding matters within a User's assigned duties;
• To acquire information related to, or designed to facilitate, the performance of regular assigned duties; and
• To facilitate performance of any task or project in a manner approved by the respective supervisor overseer.
At all times Users must utilize these resources in a professional manner that will not violate this or any policy, nor in a manner that may expose The Brant Community Healthcare System to liability or damage of reputation. INTERNET access is a privilege, which will be granted to those Users whose job can benefit from it. Access to the INTERNET and e-mail resources are for business use only.
Users shall only retain information on their computer systems (hard drive) that is necessary in the performance as their assigned duties.
Internet and Email Usage
Security of INTERNET Transactions
INTERNET Users must recognize that data transfer over the INTERNET is NOT SECURE and ensure that all clients, confidential business, or other sensitive data is transferred by other means. Please contact the I.T. department if such data transfer is required. All data transfers of such information must be approved by a member of the Senior Leadership Team.
Do not attempt to encrypt any e-mail message without the approval of your supervisor, or overseer. To the extent that you do encrypt any such message, please advise your supervisor, or overseer in writing of the encryption technique and passwords used. Remember that encryption is not guarantee that your message will be kept confidential.
Privacy of INTERNET Transactions
All users of the INTERNET services via The Brant Community Healthcare System should be aware that the INTERNET firewall creates an audit log detailing every request for access in either direction by the user.
The Brant Community Healthcare System will not ordinarily monitor user e-mail messages, however, for it's own protection, The Brant Community Healthcare System reserves the right to access and monitor any user e-mail accounts or messages as well as any INTERNET activity.
Personal Use
Personal use of e-mail should be kept to a minimum and must not interfere with job performance. Users must understand that all e-mail transactions are the property of The Brant Community Healthcare System, subject to audit, and therefore are not confidential. During a user's absence or during an emergency, The Brant Community Healthcare System may access information contained in your e-mail account.
Use of the INTERNET browsing facilities for personal or entertainment purposes will not be tolerated. From time to time, Information Technology personnel will be conducting random checks.
System Security
Users are responsible for the use of their individual e-mail account that should take all reasonable precautions to prevent others from being able to use their account. Under no conditions should a user provide his or her password to another person except the System Administrator/I.T. Manager.
Users should immediately notify the System Administrator/I.T. Manager if they have identified a possible security problem.
Users will take all precautions to avoid the inadvertent spread of computer viruses. Users must not download software or install any software to their PC without prior permission from the I.T. Department. Users must at all times use approved scanning software. Should damage occur to the computer system or network due to improper software or viruses, then the department responsible will be charged by the I.T. department for the labour involved in repairing the system.
Litigation
Users should be aware that they may be required to disclose all files and records contained on the Computer system or network, including any personal files and e-mail messages, in the event of a lawsuit.
Do not delete any e-mail message that may relate, in any way, to an existing or potential lawsuit, inquest, investigation or similar legal proceeding. If you are in any doubt, please err in favour of retaining the message and consulting your supervisor, or overseer.
Retention
For system maintenance, The Brant Community Healthcare System will delete e-mail messages that are older than 30 days and will destroy back-up tapes containing e-mail messages every 2 months. We may, however, change these time periods, from time to time, without advising you.
If a User needs to keep an e-mail message on a long-term basis, store it in specific folders in your electronic mailbox. Please review e-mail messages periodically, however, and remove any that are no longer required.
Ownership of Materials
The Brant Community Healthcare System's e-mail address and any individual e-mail addresses granted to system users are the sole property of The Brant Community Healthcare System. Use of e-mail addresses may be revoked at the discretion of The Brant Community Healthcare System.
The Brant Community Healthcare System owns all material stored on its computer systems, including e-mail messages. No employee has any ownership right in the messages or in the content of the messages.
Users who leave the employ of The Brant Community Healthcare System are not entitled to take any information on the computer systems.
Specific Rules for E-mail Messaging
Do not represent yourself as someone else.
Do not send or receive client or User information without prior authorization from your supervisor, or overseer.
Do not give others outside The Brant Community Healthcare System information about, or list of, The Brant Community Healthcare System Users for commercial solicitation or other purposes.
Do not forward any e-mail marked “confidential” or “privileged” without the consent of the individual who sent the e-mail.
Misuse of INTERNET (and E-mail) Services
In utilizing the INTERNET and e-mail access provided by The Brant Community Healthcare System, Users are expressly prohibited from the following:
• Disseminating or printing of copyrighted materials (including articles and software) in violation of copyright laws;
• Sending, receiving, printing or otherwise disseminating:
• proprietary data, trade secrets or other confidential information of The Brant Community Healthcare System's policy or agreements,
• offensive or harassing statements or language including disparagement of others based on grounds prohibited by the Ontario Human Rights Code,
• sexually-oriented messages or images;
• soliciting or using computer resources for personal or commercial ventures, religious or political causes, or any outside organizations;
• accessing material that is profane or obscene (pornography) that advocates illegal acts, or that advocates violence or discrimination towards other people (hate crimes);
• operating a business, soliciting money for personal gain, or searching for jobs outside of The Brant Community Healthcare System;
• personal use, including inappropriate jokes, sending chain letters or gambling; • using the INTERNET access services provided by The Brant Community Healthcare System to attempt to gain unauthorized access to any computer system or accounts anywhere in the world;
• engaging in any activity in violation of local, provincial or federal law.
These activities not only violate The Brant Community Healthcare System's policies and procedures but may be subject to criminal prosecution.
Transfer of Data
Transfer of any proprietary or confidential data, by any means, over the INTERNET is strictly prohibited and subject to internal disciplinary action up to and including termination unless prior approval by a member of the Senior Management Team is received.
Obtaining INTERNET Access
In order to obtain access to the INTERNET services, Users requesting access must document how this resource will benefit them in the performance of their duties and have it approved by their manager. The request must be approved by the Computer and Communications Steering Committee.
The User must also have read The Brant Community Healthcare System Policies and Procedures related to computers and have signed a SECURITY AGREEMENT form before access is granted.
Publishing on The Brant Community Healthcare System Web-site
Users will respect the rights of copyright owners. Copyright infringement occurs when an individual inappropriately reproduces a work that is protected by a copyright. If a work contains language that specifies acceptable use of that work, the user should follow the expressed requirements. If the user is unsure whether or not they can use a work that is available on the INTERNET, the user should request permission from the copyright owner.
Any information to be posted on The Brant Community Healthcare System web-site must be approved by a department head prior to being forwarded to the Webmaster (Community Relations).
The deadline for all submissions is on Friday at noon. Information will be posted on the site for two weeks from the Friday it is received.
Should approval of the page design be required prior to publishing on the web, the posting will take place one week after the department head signs off.
Community Relations will be responsible for final approval of all materials. Written materials should be saved in an “HTML” format when possible and e-mailed or delivered on disk.
Any photographs required for use on the web-site should be delivered to Community Relations at the same time. Community Relations will not be responsible for returning the photographs and they must be picked up within the month.
Disciplinary Action
If a User suspects that another individual is violating this policy, contact the system administrator/I.T. Manager, your supervisor, or overseer.
Disciplinary action for violation of this Policy may include, but is not limited to, termination or suspension of the offending User. In cases involving less serious violations, disciplinary action may consist of a warning or reprimand. Remedial action may also include counseling, changes in work assignments, or other measures designed to prevent future misconduct including termination or suspension of INTERNET and/or e-mail access.
This policy applies equally to every individual in the organization both during on-duty hours and off-duty hours when utilizing these resources.
VIOLATION OF THE HOSPITAL POLICY REGARDING COMPUTER SYSTEMS USE AND ACCESS MAY RESULT IN CORRECTIVE DISCIPLINARY ACTION.
|
