Policy Manual sample

MDT Home Health Care Agency, Inc. TEXTING AND EMAILING POLICY POLICY: Addresses texting and emailing between staff members of the workforce and discusses how to ensure safer texting/emailing practices as part of our Agency's privacy and security compliance program. Text (or SMS) messaging, email has become nearly ubiquitous on mobile devices. Clinical care is not immune from the trend, and in fact multiples clinician appear to be embracing texting/email on par with the general population. Texting can offer to our field staff numerous advantages for clinical care. It may be the fastest and most efficient means of sending information in a given situation, especially with factors such as background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging inboxes. It is essential for our Agency to understand the communication needs of our workforce in order to appropriately address any privacy and security risks they may pose. The Risks of Text Messaging and Emailing All forms of communication involve some level of risk. Text messaging and emails merely represents a different set of risks that, like other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged. Procedures: 1) Text messages and emails may reside on a mobile device indefinitely, where the information can be exposed to unauthorized third parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password. Each field staff is instructed to protect their mobile device with strong password to prevent unauthorized access, and immediately after the text or email is sent to the Agency receiving party, the information must be permanently deleted from the staff device. 2) Text messaging and Email are addressed as part of the Agency's comprehensive risk annual analysis and management strategy. 3) Identify and document any reasonably anticipated threats to ePHI, such as: • Theft or loss of the mobile device • Improper disposal of the device • Interception of transmission of ePHI by an unauthorized person • Lack of availability of ePHI to persons other than the mobile device user • Prevent misdirected email based on email classification and recipient identities. This prevents sensitive information being sent to unauthorized end users. 4) The Agency implement the following security controls that include: a) Prohibiting the texting of ePHI limiting the type of information that may be shared via text/email message (condition-specific information, treatment or information identifying a patient is prohibited, no personal information must be texted, only identification by Agency Medical Record Number) The staff can only text for asking a call back by specific Agency staff to clarify Home Health Agency Policies A-179