Department of Health Care Policy & Financing

LAN Access Request

*** FILL OUT FORM COMPLETELY *** *** INCOMPLETE FORMS WILL CAUSE A DELAY IN PROCESSING THE REQEST ***
Supervisor and employee signatures are required Login ID requests may be submitted without employees signature, but user ID and password information will not be released until signatures are obtained Scan completed form and save as a PDF file Email the completed form to the Service Desk at ServiceDesk@state.co.us Please allow 3 business days to complete all requests

Type of request (check one)

New Account Name Change

Modify Account Transfer

Delete Account

Effective Date: Contractor Phone:

Employee Type

(check one)

FTE

Temporary End Date: Last Name: MI:

Employee Information:

First Name:

Primary Section (this will be the users S drive and primary email group) Section (I Z): Section (A H): Secondary Section Section (A H): Section (I Z): Additional Section Section (A H): Section (I Z): Email Address - employees email address will be firstname.lastname@state.co.us Enter users preferred name:

@state.co.us

Secondary Email Group Section: (A H): Section (I Z): Additional Email Group Section: (A H): Section (I Z): Manager Information Section Managers Name: Phone:

Section Managers Signature: _____________________________________ Date: _____/______/______

1 of 2

Department of Health Care Policy & Financing

LAN Access Request
End User Acceptance
By requesting a User ID, User is responsible to learn and abide by proper usage procedures and to protect the integrity and security of the Departments computers systems at all times. Users shall not knowingly cause or allow the addition, modification, destruction or deletion of any records and/or information accessible through Department applications, except solely in the course of performing authorized work. User understands that Department computers systems are for the use of authorized users only. The User of any and all state resources is subject to inspection at any time. User should have no expectation of privacy with respect to the use of Department resources. The Department may use software or systems that can monitor and record all internet usage and reserves the right to do so at any time. Any abuse or misuse may subject User to appropriate corrective or disciplinary action. Any software or files downloaded by User via the Internet into the Department network become the property of the State of Colorado. Any such files or software may be used only in ways that are consistent with their licenses or copyrights. System users may not use Department Internet facilities to download entertainment software or games, or to play games over the Internet. User understands that appropriate social networking site usage is guided by Department policy. User understands that the display of any kind of sexually explicit information on any Department system is a violation of the Departments policy on sexual harassment. Sexually explicit material may not be archived, stored, distributed, printed, edited or recorded using Department network or computing resources. Department internet facilities and computing resources may not be used knowingly to violate the laws and regulations of the United States or any other nation, state, city, province or other local jurisdiction in any way. User will notify Human Resources when transferring to another Division or Section within the Department, to another Department or Agency, or when leaving State employment. By signing this agreement, User agrees that he/she will read and comply with the following policies and procedures regarding privacy, security and appropriate information system use: PSP-004 Responsibility to Maintain Privacy and Security; PSP-018 Workstation Acceptable Use; and ADM -036 Internal Electronic Forums. User understands and agrees to comply with the standards contained therein. User understands that violations of Department policies, procedures and standards may lead to disciplinary action, up to and including termination of employment; revocation of access to state information, information systems, and/or facilities; and may also include criminal penalties and/or imprisonment.

Employee Signature: ____________________________________________ Date: _____/______/______

2 of 2

STANDARD OPERATING PROCEDURE

COLORADO DEPARTMENT OF HEALTH CARE POLICY AND FINANCING

ER: PSP-004 DATE: 5/6/11 SUPERSEDES: NUMBER: PSP41O4

RESPONSIBILITY TO MAINTAIN PRIVACY AND SECURITY

AT 11161(18

ECJTJE DiCTOi

Q
PURPOSE AND AUTHORITY A. PURPOSE: The purpose of this Standard Operating Procedure (SOP) is to establish policy and procedure for Department workforce members to present guidelines for maintaining the privacy/security of all information coming into or going out of the Department. AUTHORITY: 45 C.F.R. 160.103; 45 C.F.R. 160.308; 45 C.F.R. 160.310; 45 C.F.R. 1 64.308(a)( 1 )(ii)(C); 45 C.F.R. 1 64.308(a)(6)(i)-(ii); 45 C.F.R. 164. 530(e)-(g)

B.

II.

DEFINITIONS A. Health Insurance Portability and Accountability Act of 1996 (H1PAA): For purposes of this SOP, HIPAA is defined as the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. Section 1320d 1320d-8, and its implementing regulations promulgated by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, and other applicable laws, as amended,

B.

Individually Identifiable Health Information (IIHI): Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present. or future payment for the provision of health care to an individual; and (i) that identifies the individual or (ii) with respect to hich there is a reasonable basis to believe the information can be used to identify the individual (45 C.F.R. 160.103).

C )

\CSP Aicny (yher Secunty Plan.

\ t C ItF arii.. u ha th c r pros ider 4k transmits any rcalth mforn anon in clc Come form in comi c o ihatirr ion4$L P 16)

STANDARD OPERATING PROCEDURE # PSP-004 RESPONSIBILITY TO MAINTALN PRIVACY AND SECURTY

5/6/11 Page 2 of
-

E.

Business Associate (BA): A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entitys workforce. The function or activity performed by the BA involves the use or disclosure of IIHL Also see 45 C.F.R. 160.103. Information Security Officer (ISO): A role delegated to a knowledgeable employee or contractor within a department, responsible for supporting the departments cyber security plan. The ISO representative may include any individual authorized by the Governors Office of Information Technology (OIT) to function in such a role for the Department. Protected Health Information (PHI): Individually identifiable health information that is: (1) transmitted by electronic media; (2) maintained in electronic media; or (3) transmitted or maintained in any other form or medium (45 C.F.R. 160.103). Workforce: Permanent and temporary employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

F.

G.

H.

III.

POLICY A. It is the responsibility of all members of the Departments workforce to protect the privacy rights of Medical Assistance Program clients and to protect against any reasonably anticipated uses or disclosures of PHI or other confidential information that are not permitted by state or federal law or by the Departments privacy/security SOPs. It is the responsibility of all members of the Departments workforce to practice conscientious security measures and to assist in ensuring the confidentiality and integrity of PHI and other confidential information. The Department will take all reasonable steps to mitigate any harmful effect that is known due to a potential or actual privacy/security incident or as a result of a violation of Department policies and procedures. Mitigation efforts will be designed to help protect against any further harm to individuals and may include a statement of apology directed to clients anthor credit monitoring services de.siened to es.s.en the haim...t...fp..etentiai economic los.s tEo.znd.ividuals. The .D.epart ment also recognizes that hi3flhi may not. be limihal tO :iatcnotiiic factors but. may tOOlode reputatiorial or other types of harm The Departmcnt may choose to notit

B.

C.

STANDARD OPERATING PROCEDURE # PSP-004

5/6/11 RESPONSIBILITY TO MAINTAIN PRIVACY AND SECURITY

P age 3 o f 5

individuals of a loss or disclosure of protected information, regardless of the Departments responsibility under state, federal or other law, in order that the affected individuals learn of the event and thereby be able to mitigate other potential harm, such as harm to personal reputation, that may result from the exposure of sensitive medical information being inadvertently accessed, used or disclosed. D. The Department, members of the Departments workforce, Department contractors and/or Department BAs will not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against any member of the Departments workforce or other person who reports a potential or actual privacy/security incident. The Department and its workforce members will cooperate fully with any privacy/security investigation, audit, or compliance review conducted by the U.S. Department of Health and Human Services or other federal or state governmental entity.

E.

IV.

PROCEDURE A. All members of the Departments workforce will read and comply with the Departments privacy/security SOPs. Members of the Departments workforce will report any potential or actual privacy/security incidents, made either by themselves or others, due to improper access, use, or disclosure of PHI or other confidential information, to the Privacy Officer and/or ISO within one business day. The Privacy Officer and/or ISO will take all reasonable steps to ensure confidentiality of the reporting workforce member. A security incident is an accidental or deliberate event that results in or constitutes an imminent threat of unauthorized access, loss, disclosure, modification, disruption, or destruction of communication and information resources and would not include unsuccessful attempts to access Department networks that are stopped by a Department firewall or forgotten passwords by authorized system users. The Privacy Officer and/or ISO will investigate all complaints, reported potential or aetna proac sut incidents and an alleatons of retaliation The Prixac 1 Officer and;or ISO will report findings arid any recommended sanctions to the workfbrce members supervisor and Departments Lenal Division Director. if sar i a p er ad ser c net s cr c o or s be

B.

C.

STANDARD OPERATING PROCEDURE # PSP..004

5/6111 RESPONSIBILITY TO MAINTAIN PRIVACY AND SECURITY Page 4 of 5

escalated by the Departments Legal Division Director to the Departments executive director. D. The Privacy Officer and ISO will mitigate to the extent practicable any hanuful effect that results from the reported potential or actual prIvacy/security incident. Mitigation may include: recapture of data with written assurance of destruction from unauthorized recipient, written explanation to client of unauthorized use or disclosure to include a statement of apology if applicable, and an explanation of efforts made by the Department to mitigate any potential resulting damage, or an assurance from the member of the Departments workforce or BA that steps have been taken to ensure such a mistaken use/disclosure doesnt happen again in the future. Written correspondence to the affected client(s) may also include the steps individuals should take to protect themselves from potential harm resulting from the mistaken use or disclosure of the information. Any member of the Departments workforce who violates the Departments privacy/security SOPs, or who retaliates against someone for reporting a potential or actual privacy/security incident, may face sanction as recommended by the Privacy Officer and/or Legal Division Director. The type of sanction applied will vary depending on the severity of the violation; whether the violation was intentional or unintentional; whether the violation indicates a pattern or practice of improper access, use, or disclosure of PHI or other confidential information; and whether a previous sanction has been imposed. Sanction may include a written reminder to the workforce member of Department privacy/security SOPs, retraining on privacy/security, written reprimand for inclusion in personnel file, or termination. If it is determined by the Privacy Officer and/or Legal Division Director that a violation is severe enough to constitute a criminal offense, the Departments executive director will be notified. The Department is required to notify law enforcement officials and/or the State Attorney Generals Office of any criminal offense. The Privacy Officer, ISO and/or Legal Division Director will serve as liaison(s) between the Department and the U.S. Department of Health and Human Services for all HTPAA compliance reviews or investigations, and with any other federal or state go ernmental entlt\ performing a pm ac secunt in estigation audit or compliance review. All liaison activities will be performed in collaboration with the Departments audit coordinator, as necessarv All members of the Departments wo.rk fOrce will coop.e.rate fully and will p.rovi..de all relevant information upon request by th. Pnacy Officer ISO and Legal Disision Director

E.

F.

STANDARD OPERATING PROCEDURE # PSP-004 RESPONSIBILITY TO MAINTAIN PRIVACY AND SECIJRIfl Page

5/6/11
-

V.

EFFECTIVE DATE This Standard Operating Procedure will become effective upon signature by the executive director and is effective until revised, superseded or until three years from the date issued, whichever comes first.

VIOLATION OF THIS STANDARD OPERATING PROCEDURE MAY RESULT IN CORRECTIVE OR DISCIPLINARY ACTION.

STANDARD OPERATING PROCEDURE

COLORADO DEPARTMENT OF HEALTH CARE POLICY AND FINANCING

NUMBER: ECM-013 9117109 DATE.

SUPERSEDES: NUMBER: FCM-013 3/1/96 DATE: EXECUTIVE DIRECTOR APPROVAL

BLACKBERRY USAGE

PURPOSE AND AUTHORITY A. PURPOSE: The purpose of this Standard Operating Procedure (SOP) is to establish policy and procedure for all employees, temporaries and contractors to define the standards and restrictions for the procurement and ongoing use of BlackBerry devices intended for use with the Department of Health Care Policy and Financing (the Department) networked resources in a secure and cost effective manner while protecting Department systems and data from unauthorized use or exposure. This SOP addresses all of the components that make up BlackBerry support at the Department, including but not limited to the following. 1. 2. 3. 4. 5. BlackBerry-branded andlor licensed handhelds BlackBerry Enterprise Server software BlackBeny Desktop Manager Software wireless voice services associated with BlackBerry devices any related components of network infrastructure used to provide connectivity to the above
any third-party hardware, softare, processes, or services used to provide

6.

connectivity to the above

an\ BlackBerry and or Reseaih In Motion U{1M-manufactured or licensed hardx ar 01 coft are that n:ld he ucd t acce i)paitinent tCSOUfte. N :t a L parrn n aid

Al TH(R1E\ 45 C.T.R. 16 .50(ci : 4-3 5-401 through 4o6. CRS.. (cll Phont and PD -\ of (o1crad (hr Secu lt\ Pdiute- P ( TSP -.aP

STANDARD

9/17/09

OPERATING PROCEDURE # FCM-013

BLACKBERRY USAGE

Page 2 of 6

IL

DEFINiTIONS A. Health Insurance Portability and Accountability Act of 1996 (HIPAA): For purposes of this SOP, HIPAA is defined as the Health Insurance Portability and 1320d-8. and its Accountability Act of 1996, 42 U.S.C. Section 1320d implementing regulations promulgated by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, and other applicable laws, as amended.
-

B.

Personal Digital Assistant (PDA): A lightweight, handheld computer, typically employing a touch-sensitive screen rather than a keyboard, generally used for storing information such as addresses or schedules which may or may not include features like handwriting recognition software, voice recognition, and an internal cell phone and modem to link with other computers or networks. Password: Members of the Departments workforce will construct all system passwords with at least (8) characters, and will include three of the following four character types: upper case alphabetic, lower case alphabetic, numeric, special characters (symbols. punctuation marks). BlackBerry: a handheld wireless device created by Research in Motion (RIM). BlackBerries read email and calendars from enterprise-class email systems, such as the Departments Exchange email service, and most models also function as cell phones.

C.

D.

111.

POLICY A. This policy applies to all Department staff members that are currently using, or wish to use, BlackBerry-based technology to access the Departments data and networks via wireless meais, All new hardware, software, and/or related components that provide BlackBerryrelated connectivity and services for Department users wtll he niana ed by the ( 1 ITSS io t ic ci Sc a d d h 1 a p. re B Bir me Department are not aIRn ed. in urder to pres i&ie reiabIe anu secure service, tile ITSS vill support and provide access and email redirection from the BlackBerry Enterprise Server. Deskto redirection is not supported or allowed.

B.

speci fica1i with network. access. ssar&ess access, and remote access to the Department network.

STANDARD
OPERATING PROCEDURE # FCiI-013

9/17/09

BLACKBERRY USAGE

Pa g e3 of 6

D.

It is the responsibility of any Department user who is connecting to the Departments network via a BlackBerry-branded device or service to ensure that all components of his/her wireless connection remain as secure as his or her network access within the office. It is imperative that any wireless connection, including, but not limited to BlackBerry-class devices and service, used to conduct Department business be utilized appropriately, responsibly, and ethically. BlackBerry users are subject to all Department policies and procedures, Colorado Cyber Security Policies, and HIPAA regulations. Use of any BlackBerry-branded device provided by the Department is restricted to the authorized user. Employees using BlackBerry-branded devices and services for remote wireless access will, without exception, use secure remote access procedures. This will be enforced through passwords that comply with the Departments definition and other methods in accordance with Department policies and procedures, Colorado Cyber Security Policies, and HLPAA regulations. Users agree to never disclose their passwords to anyone and to take all necessary precautions to prevent theft of their BlackBerry-branded device. All users of BlackBerry-branded equipment and devices used for Department business interests, whether personal or Department owned, must display reasonable physical security measures. Users are expected to secure all handhelds and related devices used for this activity whether or not they are actually in use and/or being carried. Eligible Users I.
All Department staff requesting a BlackBerry device or BlackBerry

E.

F.

0.

H.

services must go through an application process. Division directors must complete an application form outlining the job i-elated need and what level of service the employee is requestin. The application must he approved by the appropriate office director and the Budget and Finance Office. The cornpleted application should be subrn.itted to the ITSS. 2. All incurred costs for BlackBe.rr hranded access s the resrnrnsibi.iitv of the user and must be paid for out of their sections operating budgets. Any BlackBe.rrr services contracted for without roilw hrouch the } fbr aprccal /roce w 2 be not .Dcprr
5 a pm at B errc- branded Pci vaec.iv wned [3 4I Department not elauble to periorm work

mason ci plan

STANDARD OPERATING PROCEDURE # FCM-013

9/17/09

BLACKBERRY USAGE

Page 4 of 6

IV.

PROCEDURE A. Prior to initial use or connecting to the Department network, all BlackBerrybranded and licensed hardware, software and related services must be registered with the ITSS for asset identification and documentation purposes. No Department employees or contractors will make modifications of any kind to Department owned and installed wireless hardware or software without the express approval of the ITSS and the Information Security Officer. This includes, but is not limited to, split tunneling, dual homing, non-standard hardware or security configurations, etc. The BlackBerry-based wireless access user agrees to immediately report to his/her manager and the Departments ITSS, Information Security Office, Privacy Officer and Facility Coordinator any loss of equipment, incident, or suspected incidents of unauthorized access and/or disclosure of Department resources, databases, networks, etc. The ITSS reserves the right to turn off without notice any access to the network that puts the Departments systems, data, users, and/or clients at risk. Any questions relating to this policy should be directed to the ITSS Help Desk Line (303) 866-3607.

B.

C.

D.

E. New Accounts and/or Equipment 1. The Application for BlackBerry Services form must be completed and follow the clearance process contained therein before a BlackBerry will be ordered. The Application for BlackBerry Services form can be located below (Attachment A) or at the following link.

2.

Once the Application for BlackBerry Services form has been throug.h clearance and turned into the ETSS. a Voice Service Change Form (also referred to as a telec.ommunications form ) w 11 need to be completed and emailed as an attachment to the Facihtv Coordinator m order to request the new equipment as well as set up the servzce. lhc .intormati n must include the COFRS coding string, BlackBerry model number and name, and staff memhers, nami as part ol the description on this form. The Voice Service t.eiecomrn.u.nica.tions tmi 1. can. be Chancxt Form (also referred to as catl 1 C and in Fe In o or and Resrur Gwd u rder Ta ccwmun iOS oth.rrwCe indicated on the \oicc Service Chance Form (also
.

STANDARD OPERATING PROCEDURE # FCM-013

9/17/09

BLACKBERRY USAGE

Pa g e Sof6

referred to as a telecommunications form), the Department or state standard call plan will be used. 3. If a new user has a current mobile phone number (cell phone, BlackBerry, Treo) and would like that same number for the new BlackBerry, this information should be included on the Voice Service Change Form (also referred to as a telecommunications form) that is sent to the Facility Coordinator. Upon delivery, all BlackBerry devices will go to the ITSS prior to opening for initialization.

4.

F.

Existing Account 1. For employees who currently have a BlackBerry and service plan, when it becomes necessary to replace or upgrade the existing BlackBerry (due to loss, damage or failure to operate), a Voice Service Change Form (also referred to as a telecommunications form) must be submitted to the Facility Coordinator with the staff persons name and BlackBeny phone number, the model name and number of the requested upgrade, and the COFRS coding string in the description field. For new requests, the Department or state standard service plan will be assigned unless specific changes need to be made. Please plan on a 2-week turnaround from the time the request is made until the new unit is received.

G.

Each users office will be billed for the cost of the BlackBerry and any accessories ordered plus monthly usage and plan charges. It is the responsibility of the user and his or her manager to assure that all usage is for the benefit of the Department. Any charges made for personal usage which result in a charLie in excess of the standard monthly usage charges must he reimbursed b\ the employee to the Department via the Controllers Division. Users are responsible br reviewine and approving all charges on their monthly stater.ents prior to payment.

H.

V.

FFFFCT[VE DATE This Standard Operannu Procedure will become effective upon signature by the executive director and s effective until revised, superseded or unOl one ear from t}e date issued whichever comes first. VIOLATION OF TFH.S STANDARI.. OPERATING FhOCE.LTiIE TION \l AY RJ:SULT [N CORRECTIVE OR DISCWL fLARE

____________________

STANDARD OPERATING PROCEDURE # FCM-013

9/17/09

BLACKBERRY USAGE

Page 6 of 6

Attachment A
APPLICATION FOR BLACKBERRY SERVICES

**PLEASE FILL OUT FORM COMPLETELY

**

INCOMPLETE FORMS WILL BE REJECTED**

IMPORTANT**

OBTAIN APPROVAL BEFORE MAKING PURCHASE

Applicanfs Name Division: Model Requested:

Phone: Submitted By: Preferred CalTier: Verizon

Todays Date: Phone: AT&T fl

BUSINESS JUSTIFICATION Please provide the rationale for requesting a BlackBerry: APPROVAL IMPORTANT NOTE: Applicant acknowledges that heshe has read and understands the BlackBeffy Usage Policy Agreement and consents to adhere to the rules outlined therein.

Involved User Signature

Date

Supervisor

Date

Division Director

Date

Office Director Budget & Finance Office

Date

Forward completed application to Information Technology Support Section (303) 866360 TO BE (OMPLF[Fl) B\ ITS ANI) FAC1IiTWS
I
!(Cfl1

jj1ahhr \
itS t1Iature

Ordered B

Model Ordered

Carrier

"- - - - - .. --_. . . -"- - - -"

--- ----

STANDARD
OPERATING

PROCEDURE

COLORADO DEPARTMENT OF HEALTH CARE POLICY AND FINANCING

NUMBER: PSP-018 DATE: 3/3/09 SUPERSEDES: NUMBER: CDHCPF Privacy and Security Manual, Workforce Security Section, subsection, Workstation Use, and Physical Security Section, subsection, Workstation Use DATE: April 18, 2005 EXECUTIVE DIRECTOR PROVAL

WORKSTATION USE

~
I. PURPOSE AND AUTHORITY A. PURPOSE: The purpose of this Standard Operating Procedure (SOP) is to establish policy and procedure for all employees, temporaries and contractors regarding workstation use. AUTHORITY: 45 C.F.R. 164.3lO(b)-(c); 45 C.F.R. 164.312(a)(2)(iii)-(iv); 45 C.F.R. 164.312(c)(I)-(2); 45 C.F.R. 164.312(e)(2)(ii); 45 C.F.R. 164.530(c)

B.

II.

DEFINITIONS A. Health Insurance Portability and Accountability Act of 1996 (HIPAA): For purposes of this SOP, HIPAA is defined as the Health Insurance Portability and Accountability Act of 1996, 42 U.S.c. Section 1320d - 1320d-8, and its implementing regulations promulgated by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, and other applicable laws, as amended. Individually Identifiable Health Information (IIHI): Information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual (45 C.F.R. 160.103).

B.

-------

STANDARD OPERATING PROCEDURE # PSP-018

3/3/09 WORKSTATION USE Page 2 of6

C.

Protected Health Infonnation (PHI): Individually identifiable health infonnation that is: (1) transmitted by electronic media; (2) maintained in electronic media; or (3) transmitted or maintained in any other fonn or medium (45 C.F.R. 160.103). Workforce: Pennanent and temporary employees, volunteers, trainees, and other persons whose conduct, in the perfonnance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity (45 C.F.R. 106.103).

D.

III.

POLICY A. Department workstations, computers (including Department notebook computers), systems, email and the Internet are to be used for official state business and to fulfill Department responsibilities and duties. Members of the Department's workforce will not use Department workstations, computers (including Department notebook computers), systems, email or the Internet for personal profit or gain. Members of the Department's workforce will take appropriate steps to ensure that electronic PHI and/or other electronic confidential infonnation is not readily available to those not authorized to access it. The Department has the right to monitor and record all Internet usage and inspect any/all files stored on network or workstation drives, including email.

B.

C. N.

PROCEDURE A. Members of the Department's workforce will minimize all computer screens containing electronic PHI or other electronic confidential infonnation when not working with those screens or when leaving their workstation for any period of time. All Department workstation computers will automatically launch a screensaver after twenty (20) minutes of non-use. The user's LAN password will be required to exit screensaver and return to desktop. Members of the workforce will not use any workstation computer that another person has already logged onto and will not use another person's user ID and password to log onto a workstation computer for any reason. The only exception will be for technical support provided by a member of the Infonnation Technology Support Section.

B.

C.

STANDARD OPERATING PROCEDURE # PSP-018

3/3/09

WORKSTATION USE

Page 3 of 6

D.

Members of the Department's workforce will log off workstation computers at the conclusion of each work day unless prior approval by the Executive Director has been obtained. Members of the Department's workforce will only save electronic PHI or other electronic confidential information on Department networks or drives if necessary, and only for as long as is necessary. Documents containing electronic PHI or other electronic confidential information that need to be accessible to others within the Department or are small in size will be saved on a Department network drive. Large documents containing electronic PHI or other electronic confidential information (large databases or reports) will be saved on the user's "D drive." Once the document/report is no longer needed, it should be deleted. Documents may be saved on a CD if an archive copy is necessary and as a backup procedure, but only until document is no longer needed. (See SOP PSP-022 Device and Electronics Storage Controls) Members of the Department's workforce will not attempt to attach any external device or install any software on Department systems, workstation computers or Department notebook computers without prior approval of the Information Technology Support Section. The Department will take reasonable steps necessary to accommodate all members of Department's workforce and ensure compliance with the Americans with Disabilities Act. These accommodations will be provided on a case by case basis and will be documented with the Security Officer. A Department supervisor may request that a Department workforce member's Internet usage, email content and/or network or workstation files be monitored and/or recorded for a limited amount of time. The supervisor must make the request in writing and gain written approval from his/her Office Director and the Executive Director. The supervisor must provide justification for the request, and must request ~onitoring only for cause. Upon Executive Director approval, the Information Technology Support Section Manager will be notified and targeted monitoring will begin. The supervisor as well as the Information Technology Support Section Manager will maintain request documentation, written approvals, and all relevant information discovered, if any, during monitoring. Logs reporting Internet sites visited and email subject lines will be automatically generated and the Information Technology Support Section will randomly review the logs. No targeted review of workforce member activity by the Information Technology Support Section will take place. If the Information Technology Support Section Manager finds during random review that a member of the Department's workforce appears to be violating the Department's Internet or email policies, he/she will notify the Chief Information Officer who will request

E.

F.

G.

H.

I.

STANDARD OPERATING PROCEDURE # PSP-018

3/3/09 WORKSTATION USE Page 4 of6

direction from the Executive Director. Upon Executive Director approval and supervisor notification, the Information Technology Support Section Manager will begin targeted monitoring of the workforce member's Internet usage, email content and/or network or workstation files for a limited amount of time. J. Use of the Internet and Email 1. Accessing any inappropriate Internet site is prohibited, including sites that are obscene, hateful, harmful, malicious, hostile, threatening, abusive, vulgar, defamatory, profane, or racially, sexually or ethnically objectionable. Members of the Department's workforce who intentionally visit such sites will face severe sanction, including possible termination. Members of the Department's workforce will not download music files, games, pictures or any other software or freeware from the Internet. Use of the Department's email system is intended as a business tool to facilitate Department communications and information exchange with others outside and inside the Department. All email messages sent or received by a member of the Department's workforce are considered to be the property of the Department. Questions regarding appropriate use of email should be directed to the Privacy and/or Security Officer(s). Members of the Department's workforce will read and adhere to established Department email policies and procedures. Members of the Department's Workforce will ensure that all externally sent emails contain an attached signature with the sender's name, title, phone number (optional); and the following confidentiality clause: This email message and any included attachments, from the Colorado Department of Health Care Policy and Financing, are confidential and intended solely for the use of the individual or entity to which it is addressed. Unauthorized review, forwarding, printing, copying, or distributing is strictly prohibited and may be unlawful. If you received this email message in error, please notifY the sender immediately and delete the email withoutfurther disclosure. Thank you. 6. Members of the Department's workforce will take all reasonable steps to confirm the accuracy of email addresses. If a member of the Department's workforce discovers that an email has been sent in error, the recipient will be contacted and will be requested to delete the email message immediately. The workforce member will provide a copy of the email

2.

3.

4.

5.

STANDARD OPERATING PROCEDURE # PSP-018

3/3/09

WORKSTATION USE

Page 5 of 6

message, along with an explanation of the error and any resulting actions, to the Privacy Officer. 7. If a member of the Department's workforce has any reason to send an email to several Medical Assistance Program clients at one time, all clients will be "blind copied." No client email addresses will be disclosed to other clients or other third parties. As Department email is not encrypted at this time, members of the Department's workforce will severely limit the amount of PHI or other confidential information contained in email messages. The following precautions will be taken, unless an emergency process is established by the Privacy and/or Security Officer(s) and approved by the Department's Chief Information Officer and the Executive Director: a. If at all possible, correspondence containing PHI or other confidential information going to outside parties will be mailed or faxed. (See SOP PSP-019 General Information Safeguards) Within the Department, client identifying information may be included in an email message, with the exception of the client's social security number. Sender will limit client information to as little information as necessary. Outside the Department, no client identifying information other than State ID or client name initials will be included in an email message- full name, address, social security number, date of birth, and all other identifiers may not be included. Any additional information must be provided over the phone. The words "client," "client's ID," "state ID number," or anything that would convey that the number provided is a piece of PHI will not be included. If no other method may be utilized to provide information, a document containing only the minimum amount of PHI and no social security number may be emailed in a password-protected ZIP file. The password will be provided to the recipient by phone. PHI or other confidential information being shared with the Department's fiscal agent may be placed on or retrieved from the State Share Drive.

8.

b.

c.

d.

e.

This list is not to be considered all-inclusive. Further questions regarding appropriate inclusion of PHI or other confidential information within

STANDARD OPERATING PROCEDURE # PSP-018

3/3/09 WORKSTATION USE Page 6 of6

email messages Officer(s).

should be directed

to the Privacy

and/or Security

IV.

EFFECTIVE DATE This Standard Operating Procedure will become effective upon signature by the Executive Director and is effective until revised and superseded or until three years from the date issued, whichever comes first. VIOLATION OF THIS STANDARD OPERATING PROCEDURE MAY RESULT IN CORRECTIVE OR DISCIPLINARY ACTION.