nrvcsrides/privacy

NRVCS Electronic Communications Policy

POLICY

It is the policy of New River Valley Community Services (NRVCS) to adhere to federal and state confidentiality requirements. Concurrently, NRVCS is sensitive to the needs and desires of the community and the expressed need to utilize different forms of communication. This policy is designed to help employees understand agency expectations for use of these resources and to help in utilizing them wisely, properly and efficiently.

NRVCS uses communication technology to gather and share information with our staff, individuals, colleagues, State and Federal officials, suppliers, and other employees. Use of voice mail, email, text messaging, local area networks (LAN), intranets and the Internet enables us to obtain and distribute information more quickly and efficiently, make more informed decisions and better serve individuals. At the same time, improper use of these systems can create legal and other risks for employees and /or NRVCS.

DEFINITIONS

Electronic Communications System (ECS) – includes, but is not limited to, voice mail, electronic mail, text messages, instant messages, fax equipment, phone systems and agency owned or leased cell phones, networks, intranet and Internet access and any other electronic information system owned, leased, operated, maintained, managed or used by NRVCS.

External email: Email sent from a NRVCS email address to an outside, non-NRVCS email address.

Electronic Health Record — Any item, collection, or grouping of paper and electronic information that includes an individual’s protected health information receiving services which are maintained in an electronic system.

Internal email: Email sent from one NRVCS email address to another.

Messages – includes, but is not limited to, all messages, files or other data or information created, uploaded, downloaded, sent, received or stored on any ECS.

Minimum Necessary Standard — The use or disclosure of the minimum amount of protected health information (PHI) necessary to satisfy a particular purpose, to discuss services and/or relay information regarding an individual.

Protected Health Information (PHI) — Any information that could be used alone or in combination with other information to identify an individual who is a subject of the information.

GUIDELINES

  1. Ownership of System and Data: All Electronic Communications Systems are NRVCS property. All messages and data stored on them are property and records of NRVCS.
  • Business Use: Messages should be used primarily to conduct NRVCS business. The use of ECS for any of the following is considered unacceptable:
  • Use of another person’s system, user-id, password, files or data without permission;
    • Use of NRVCS computers or computer programs to decode passwords or access control information;
    • Any attempt to circumvent or subvert ECS security measures;
    • Engaging in any activity that might be harmful to any ECS or any information stored on an ECS, such as the creation or loading of computer viruses, intentionally disrupting services or the damaging of files or information.
    • Use of any ECS for personal or partisan political purposes, such as using e- mail to circulate advertising for clubs, religious organizations or soliciting support for political candidates;
    • Use of any ECS to harass, intimidate or otherwise annoy any person, for example, by broadcasting unsolicited messages, individually or by using a distribution list, or sending unwanted e-mail;
    • Use of any ECS to display or propagate any kind of sexually explicit image, document or message
    • Use of any ECS for any external messaging application is strictly prohibited.
    • Use of any external Filesharing applications (i.e. torrents) are strictly prohibited.
    • Use of any ECS to upload, download, FTP or print material that is not business related or contains offensive material is prohibited.
    • Using your NRVCS email address or phone number as a contact for personal accounts (IE providing your NRVCS email to an online store as your main contact) is prohibited.
    • Employees are prohibited from downloading or using TikTok or WeChat applications or any other application developed by ByteDance Limited or Tencent Holdings Limited, or visit the TikTok or WeChat websites on state-owned or leased equipment.
  • Personal Use of any ECS:   NRVCS recognizes that personal matters must sometimes be dealt with during the course of any normal business day. This includes, but is not limited to; email messages and use of NRVCS phone systems, and voice

mail. However, personal use of any ECS should be limited and should not interfere with performing normal job duties. The scope and duration is considered to be a matter of supervisory definition and discretion. The use of any ECS to forward messages, not related to business, including, but not limited to, email distribution lists, is strictly forbidden.

  • Cost incurred by Personal Use of any ECS:   Staff are expected to reimburse NRVCS for any costs incurred to the Agency while using any and all ECS, including, but not limited to, any extra charges incurred while using Agency cell phones, for any non-business related usage.
  • Internet use: Internet access is provided for staff to fulfill job responsibilities and not for personal use. Occasional and reasonable personal use of NRVCS Internet is permitted, if it does not interfere with work performance or the availability of network resources for others. These services may be used outside of scheduled hours of work, provided that such use is consistent with professional conduct. Prohibited activities include, but are not limited to; gambling, illegal activities, and non- NRVCS commercial business.
  • Social Media. Proper use of social media is covered in the Social Media Policy.
  • Message Content:   Messages may not contain content that may be reasonably considered offensive, disruptive, defamatory or derogatory, including, but not limited to sexual comments or images, racial slurs or other comments or images that would offend someone on the basis of his or her race, national origin, gender, sexual orientation, religious or political beliefs or disability.
  • Proprietary Rights: NRVCS has purchased licenses for the software that our staff needs to handle their daily work. Downloading unauthorized software to an agency device is strictly prohibited. Downloading agency owned software to personal devices is prohibited unless the IT Department specifically approves such a request.
  1. Expectation of Privacy: NRVCS employees have no expectation of privacy using NRVCS ECS for communications. The NRVCS IT team and leadership can monitor and review ECS if there is a business need.
  • Confidential Information:
  • Forwarding or receipt of confidential ECS documentation should be considered equivalent to the release or re-release of information. Email and other information should only be forwarded when there is a legitimate professional justification for doing so; on a professional need-to-know basis and only consistently with Agency policy involving individual consent to the sharing of information.
    • Employees must identify themselves honestly and accurately while utilizing any Agency ECS.
  • Consumer Communication: Email and text message allows NRVCS providers to exchange information efficiently for the benefit of individuals. At the same time, email and text messaging are not a completely secure means of communication. NRVCS wants to make sure individuals understand the risks associated with email and text messaging as a form of communication. NRVCS encourages individuals to use good judgment in deciding what information they send to providers.
  • Staff shall discuss preferred methods of communication with individual and determine if the individual desires to send and/or receive email and/or text communications.
    • Staff shall review and complete the Consent for Email and/or Text Message Communication with the individual in its entirety.
    • Staff shall use agency email address and agency phones when communicating with individuals.
    • Any email with PHI sent to an external email address must follow the encryption procedure detailed in the SECURE email user guide.
    • Staff shall be responsible for checking the information in the EHR for the

correct email and/or text message number for the individual or substitute decision maker of the individual.

  • If there is a change to the individual’s email and/or phone number for text messages, the new email address and/or cell phone number shall be the responsibility of the staff and be entered into the EHR.
    • NRVCS reserves the right to rescind the email and/or text communication consent for any individual who either breaches policy requirements or for whom it is determined that the use of email and/or text communications is clinically contraindicated.
    • Email and text communication should not be used as the primary method of communicating with individuals. The bulk of communication between NRVCS staff and individuals shall take place via telephone or person to person, direct contact.
    • Email and text communication should not be used to deliver therapeutic services, but rather should be used to coordinate care, schedule/confirm/change appointments, and transportation. Other communication that exceeds these communications should be discussed with the individual and documented prior to use.
    • Staff shall make individuals aware that just because they have sent an email or text, does not mean we will receive it and read it immediately. Thus, communicating via email and text is not a means of managing urgent information.
    • Staff shall limit the information included in the text message and/or email to the minimum amount necessary for the clinical purpose.
    • Avoid transmitting highly sensitive PHI via text message and/or email whenever possible.
    • NRVCS staff shall never use automatic email forwarding. That is, no staff shall arrange for their NRVCS emails to be automatically forwarded to a non- NRVCS email address.
    • Staff shall never send email and/or text communications unless the email address or phone number have been verified against information in the EHR as well as the sender has double-checked that the email address and/or number entered is the correct number or address, and
    • Staff shall always include a privacy statement in emails notifying the recipient of the insecurity of unencrypted email and providing the contact information for a person to whom a misdirected message may be reported.
  • Right to Monitor:   All messages and data remain the property of NRVCS and NRVCS reserves the right to monitor, access, retrieve and read all or any messages

  and/or data and to disclose information to law enforcement or other third parties without

any prior notice to the originator/owner or the recipient of the message or data. Employees whose normal job responsibilities include data integrity and security may review messages and/or data to or from any employee for the purposes of:

  • Identifying and diagnosing hardware and software problems.
    • Preventing system misuse;
    • Determining breaches of confidentiality, security or violations of this Policy or any other NRVCS policy;
    • Investigating misconduct or illegal, unethical or inappropriate activity;
    • Assuring compliance with proprietary rights, contractual obligations and licenses;
    • Complying with all legal obligations to which NRVCS is subject;
    • Otherwise protecting the business interests of NRVCS.

No other monitoring or review of messages or data may be made without the prior approval of the Human Resource Director, Unit Director or Executive Director.

  • Encryption of Data and Emails:   Occasionally information with PHI has to be transmitted via external email to individuals or entities outside of NRVCS.
  • In those situations those emails must be encrypted. Any email with PHI sent to an external email address must follow the encryption procedure detailed in the Encryption email user guide.
    • Any portable media device containing PHI or proprietary information must be encrypted or the files must be encrypted.
    • If a NRVCS staff person receives an email from an outside provider with PHI in it, the staff person should not reply to the email. Another email should be newly created to respond, including only individual initials or shall be encrypted.
  • Disciplinary Measures:    Employees must immediately report any and all violations of the agency policy regarding Electronic Communications Systems to IS Management, their supervisor, or to Human Resources. Employees found to be in violation of this Policy will be subject to discipline, up to and including, discharge. Offenders may be prosecuted under applicable laws including (but not limited to) the Privacy Protection Act of 1974, the Computer Fraud and Abuse Act of 1986, Interstate Transportation of Stolen Property, the Virginia Computer Crimes Act and the Electronic Communications Privacy Act.
  • Access to the text of these laws is available through the Reference Department of the Newman Library at Virginia Tech.