SCOPE 

UAMS Workforce with Access to Confidential Information, including Electronic Protected Health Information (ePHI), for any purpose.

DEFINITIONS

UAMS Workforce means employees physicians, volunteers, residents, students, trainees, visiting faculty, and other persons whose conduct, in the performance of work for UAMS, is under the direct control of UAMS, whether or not they are paid by UAMS.

Confidential Information includes information concerning UAMS research projects, confidential employee information, information concerning the UAMS research programs, proprietary information of UAMS, and sign-on and password codes for access to UAMS computer systems.   Confidential information shall include Protected Health Information.

Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual.  This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.

Electronic Protected Health Information (ePHI) means individually identifiable health information that is:

·         Transmitted by electronic media

·         Maintained in electronic media

Information Systems means an interconnected set of information resources under the same direct management control that shares common functionality.  A system normally includes hardware, software, information, data, application, communications, and people.

 POLICY

 Members of the UAMS Workforce who are assigned to work from home part-time or full-time in an official UAMS capacity are responsible for maintaining the privacy and security of all UAMS Confidential Information including Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) and for following  all UAMS policies and procedures related to Confidential Information, PHI, and ePHI. 

PROCEDURE

1.      Confidential Information, including PHI, is not to be removed from UAMS by members of the Workforce without prior approval and a signed confidentiality agreement on file.

2.      The Workforce member is responsible for maintaining the privacy and security of all Confidential Information that they may be transporting, storing or accessing off-site.  This includes, but is not limited to:

A.    Protected Health Information and Electronic Protected Health Information

B.     Computers that contain or access Confidential Information

C.     Confidential Working Papers

3.      UAMS policies are in effect whether the Workforce member is working off-site or in a UAMS facility.   The following safeguards must be acknowledged:

A.    IT Network Security 7.3.08

1.      Any Confidential Information or ePHI sent from workstations, laptops, PDAs and other mobile devices must be encrypted.    

B.     Safeguarding PHI Policy 3.1.38

1.      Electronic media and printed information must be transported and stored in a secure manner.

2.      All media containing PHI or ePHI must be disposed of appropriately and must never be placed in regular trash. This includes printed information, faxes, hard drives, diskettes and CDs.

3.      UAMS materials must be put away when not being used and kept in a secure location that is not accessible to others including children, spouse and visitors. 

C.     Mobile Device Safeguards #3.1.17 and HIPAA Security Protection from Malicious Software 7.3.15

1.      Anti-virus software must be installed on all home computers and mobile devices used for UAMS business, and they must be password protected.

2.      Employees are required to maintain updates to current operating systems (ex. Microsoft updates/patches)

D.    Confidentiality Policy #3.1.15

1.      Passwords must not be shared or accessible to family members or others.

E.     The printing of confidential information from home computers should be kept to a minimum and only as needed in accordance with UAMS policies.

4.      UAMS Workforce Members who are assigned to work from home part-time or full-time in an official UAMS capacity involving Confidential Information must sign  the formal “UAMS Work at Home Agreement.”  The agreement consists of UAMS Campus Requirements for Working from home and a section for departments to add guidelines specific to their area, if desired.  For example,  departments might consider including: who will bear the cost and installation of equipment, phone lines, and the replacement of any UAMS equipment that is stolen or destroyed;  measures for maintaining productivity and quality; attendance at meetings; recording time worked; or other requirements.

5.      UAMS will provide to the Workforce Member access to or a copy of the following UAMS Policies from the Administrative Guide:

A.    3.1.40  Working at Home

B.     3.1.15 Confidentiality Policy

C.     3.1.38 Safeguarding of PHI Policy

D.    7.3.08 IT Network Security

E.     3.1.17 Mobile Device Safeguards

F.      7.3.15 HIPAA Security Protection from Malicious Software

6.      UAMS equipment taken home requires a signed UAMS Property Located Off-Campus Form.

7.      Employees and/or supervisors may contact IT to verify software or hardware compliance.

UAMS Work-at-Home Agreement

UAMS Campus Requirements.

(These items must be a part of all Work-at Home Agreements)

1.                  I have received, agree to and abide by the following UAMS Administrative Guide Policies:

a.                3.1.40  Working at Home

b.                 3.1.15 Confidentiality Policy

c.                 3.1.38 Safeguarding of PHI Policy

d.                7.3.08 IT Network Security

e.                 3.1.17 Mobile Device Safeguards

f.                  7.3.15 HIPAA Security Protection from Malicious Software

2.                  I agree to maintain the privacy and security of all UAMS Confidential Information including Protected Health Information (PHI) and Electronic Protected Health Information (ePHI) and agree to access, use and disclose in accordance with all applicable UAMS policies and procedures.

3.                  As with all UAMS workforce, I understand that my work is subject to auditing and I will cooperate with any requirements of the UAMS auditing process.

4.                  I agree to maintain current anti-virus software, spyware protection, and operating systems updates on my computer.

5.                  I understand that any violations of this agreement or UAMS policies and procedures are subject to disciplinary action up to and including termination.

…………………………………………………………………………..

Department Specific Requirements, if any:

(Optional):                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

Employee signature                                                                             date

Employee address where work will be performed

_____________________________
Employee phone number

Staff:
Provide a copy of the signed agreement to the employee, a copy to UAMS OHR for the employee’s personnel file, and maintain the original in the department file.