How To Contain Confidential Or Sensitive Information
I. Purpose
The goal of this policy is to define and establish standards and procedures for the receipt and removal of hardware and electronic media that contain confidential or sensitive information.
II. Scope and Limitations
This policy applies to all Topaz workforce members.
III. Related Policies Name and Number
None
IV. Definitions
None
V. Procedures
A. Accountability Procedures
1. Topaz does not store or maintain e-PHI on any equipment or media. However, Company sensitive and confidential information may be stored on electronic device and media. All workforce members log into a client’s network environment and systems to access, process and transmit e-PHI as needed to provide health information services.
2. All media that …show more content…
When media that contains confidential or sensitive information is created, received or moved within or outside of the organization, its movement and the name of the workforce member responsible for that movement must be documented. Such documentation must include the workforce member’s name, the information affected, the reason for the movement, and the date and time.
4. If media that contains confidential or sensitive information is to be transferred to an off-site location, the data on the media should be encrypted, and the encryption and decryption keys are to be protected with the same care as the data.
5. Media tracking mechanisms are utilized to track the accountability of media into and out of Topaz.
6. When a device or media containing confidential or sensitive information is released for off-site maintenance or storage, a legally binding contract for the management of the information must be in place to protect the confidentiality of the data.
B. Data Backup and Storage Procedures
1. All confidential or sensitive information is backed up through the data center. When required a media may be utilized to backup sensitive and confidential information, all use of media and removable storage for backup must be pre-approved by the IT Supervisor and/or Chief Product and Technology Officer. Such media will be managed in accordiance with these …show more content…
Disposal
1. Disposal procedures of all IT assets and equipment will be centrally managed and coordinated by the IT Department. The IT Department is also responsible for backing up and wiping company data on all IT assets slated for disposal as well as the removal of company tags and/or identifying labels.
2. All devices and media that contain confidential or sensitive information should be destroyed by overwriting the entire media at least once with pseudorandom data, degaussing or physical destruction of the device or media.
3. Media or information system disposal vendor may be utilized to dispose of device or media. A business associate agreement or contract confirming confidentiality the information in he device or media this destruction must be executed between Topaz and the chosen disposal vendor. The devices or media to be disposed of must be marked as containing confidential or sensitive information before it goes off site for disposal.
4. The IT Department is also responsible for acquiring credible documentation from the contracted disposal vendor that are contracted to conduct the data wiping, tag or label removal or any other part of the disposal process.
E. Mobile Device
The goal of this policy is to define and establish standards and procedures for the receipt and removal of hardware and electronic media that contain confidential or sensitive information.
II. Scope and Limitations
This policy applies to all Topaz workforce members.
III. Related Policies Name and Number
None
IV. Definitions
None
V. Procedures
A. Accountability Procedures
1. Topaz does not store or maintain e-PHI on any equipment or media. However, Company sensitive and confidential information may be stored on electronic device and media. All workforce members log into a client’s network environment and systems to access, process and transmit e-PHI as needed to provide health information services.
2. All media that …show more content…
When media that contains confidential or sensitive information is created, received or moved within or outside of the organization, its movement and the name of the workforce member responsible for that movement must be documented. Such documentation must include the workforce member’s name, the information affected, the reason for the movement, and the date and time.
4. If media that contains confidential or sensitive information is to be transferred to an off-site location, the data on the media should be encrypted, and the encryption and decryption keys are to be protected with the same care as the data.
5. Media tracking mechanisms are utilized to track the accountability of media into and out of Topaz.
6. When a device or media containing confidential or sensitive information is released for off-site maintenance or storage, a legally binding contract for the management of the information must be in place to protect the confidentiality of the data.
B. Data Backup and Storage Procedures
1. All confidential or sensitive information is backed up through the data center. When required a media may be utilized to backup sensitive and confidential information, all use of media and removable storage for backup must be pre-approved by the IT Supervisor and/or Chief Product and Technology Officer. Such media will be managed in accordiance with these …show more content…
Disposal
1. Disposal procedures of all IT assets and equipment will be centrally managed and coordinated by the IT Department. The IT Department is also responsible for backing up and wiping company data on all IT assets slated for disposal as well as the removal of company tags and/or identifying labels.
2. All devices and media that contain confidential or sensitive information should be destroyed by overwriting the entire media at least once with pseudorandom data, degaussing or physical destruction of the device or media.
3. Media or information system disposal vendor may be utilized to dispose of device or media. A business associate agreement or contract confirming confidentiality the information in he device or media this destruction must be executed between Topaz and the chosen disposal vendor. The devices or media to be disposed of must be marked as containing confidential or sensitive information before it goes off site for disposal.
4. The IT Department is also responsible for acquiring credible documentation from the contracted disposal vendor that are contracted to conduct the data wiping, tag or label removal or any other part of the disposal process.
E. Mobile Device