ELECTRONIC COMMUNICATIONS POLICY
SCOPE: This policy applies to all Users of Hospital electronic mail (e-mail), electronic
communication systems and information systems, including, but not limited to,
employees, contractors, physicians, service centers and representatives of vendors and
business partners. Unless otherwise indicated, this policy applies to both internal
Hospital e-mail and e-mail sent over the Internet. The policy applies to all of the
Hospital’s e-mail systems and other information systems and methods, including, but
not limited to:






All e-mail systems (Outlook, Meditech Magic Office (also known as MOX), etc.);
All information systems and associated infrastructure;
All automated electronic communication processes utilizing e-mail or the Internet;
Internet-based discussion groups, chat services, and mailing lists;
Electronic connections with the Internet or non-Hospital Systems; and
Electronic bulletin board systems and online services to which the Hospital
subscribes.
PURPOSE: This policy is designed to protect the Hospital, its personnel, its customers,
and its resources from the risks associated with use of e-mail, the Internet, and other
forms of electronic communication.
POLICY:
A.
Business Purpose and Use. The Hospital encourages the use of the Internet,
e-mail, and other electronic communications to promote efficient and effective
communication in the course of conducting Hospital business. Internet access,
e-mail and other electronic communications are Hospital property, and their
primary purpose is to facilitate Hospital business.
1.
Users have the responsibility to use electronic communications in a
professional, ethical, and lawful manner in accordance with the Hospital’s
Code of Conduct.
2.
Every User has a responsibility to maintain and enhance the Hospital’s
public image and to use Hospital e-mail, access to the Internet, and other
electronic communications in a productive manner. These electronic
communication mechanisms may be subject to discovery in the event of
litigation. As with all communications, colleagues should avoid saying or
using anything that might appear inappropriate or might be misconstrued
by a reader.
3.
The Hospital recognizes that Users may occasionally need to conduct
personal business during their work hours and permits highly-limited,
reasonable personal use of the Hospital’s communication systems. Any
personal use of the Hospital’s electronic communications is subject to all
the provisions of this and related policies. Any questions are to be
directed to the User’s Hospital supervisor/representative.
B.
Hospital Right to Access Files and Messages.
1.
Users shall presume no expectation of privacy in anything he/she may
create, store, send or receive on the computer systems and the Hospital
reserves the right to monitor and/or access communications usage and
content without the User’s consent. The Hospital may log, review, and
otherwise utilize information stored on or passing through its systems in
order to manage systems and enforce security. For these same
purposes, the Hospital may also capture User activity such as telephone
numbers dialed and web sites visited.
2.
Users will return all electronic files or determine appropriate disposition
with their immediate supervisor when leaving the department or
separating from the Hospital. The User will not delete files and will retain
files in accordance with the Hospital Records Management Policy ____.
3.
To ensure appropriate use and successful operation of the Hospital’s
electronic communication systems and the information they contain, it is
sometimes necessary for Hospital system administrators to access and
view their contents. Statistical information about each User and other
measures of system performance, such as number and size of messages
sent and received, Internet sites visited, length of time spent using the
Internet, etc., are routinely collected and monitored by system
administrators. While the goal of this type of monitoring is to evaluate and
improve system performance, any evidence of violations of Hospital policy
discovered in the course of this type of monitoring will be reported to the
appropriate managers.
4.
The Hospital reserves the right to examine electronic mail, personal file
directories, hard disk drive files, and other information stored on Hospital
information systems at any time and without prior notice.
a.
b.
c.
5.
This examination is performed to assure compliance with internal
policies, support the performance of internal investigations, and
assist with the management of Hospital information systems.
Only the Hospital legal counsel Compliance Officer in consultation
with Hospital Administration Counsel can authorize access to and
disclosure of an individual colleague’s messages or computer files
without that colleague’s knowledge, except as noted in 5 below.
Information contained in e-mail messages and other information
concerning computer usage may be disclosed to the appropriate
authorities, both inside and outside of the Hospital, to document
employee misconduct or criminal activity. Moreover, in some
situations, the Hospital may be required to publicly disclose e-mail
messages, even those marked private or intended only for limited
internal distribution.
Personal files on Hospital computers must generally be handled with the
same privacy given to personal mail and personal phone calls. This
means that other workers, including managers and system administrators,
must not read such personal files without authorization as described
above. The following exceptions may be made routinely upon a request to
the Hospital’s Director of Information Systems with approval of the User’s
department manager:
a.
b.
C.
To dispose of or reassign files after a User has left the Hospital, or
To access critical files when a User is absent and has failed to
properly delegate access to e-mail or forward such files to
appropriate colleagues.
Communications Content. Users will use the same care in writing and
distributing e-mail or other electronic communications as they would for any other
written communication. Content of electronic communications should be truthful
and accurate, sent to recipients based on a need-to-know and sent/posted with
appropriate security measures applied.
1.
Sensitive Hospital information, patient identifiable information, or
confidential information as defined in the Hospital’s Code of Conduct, may
only be transmitted to individuals via the Hospital’s internal e-mail systems
(e.g., MOX, Outlook) to other Users of the Hospital e-mail systems who
are authorized to access the specific information;
2.
Sensitive Hospital information, patient identifiable information, or
confidential information as defined in the Hospital’s Code of Conduct, may
only be transmitted to accounts or destinations outside the Hospital using
secure methods specifically approved in advance by Information Services
(IS) and in accordance with the Hospital’s Appropriate Access policies. In
addition, appropriate agreements must be in place between the involved
parties.
3.
Sensitive Hospital information, patient identifiable information, or
confidential information as defined in the Hospital’s Code of Conduct,
must not be posted on publicly-accessible areas of the Internet (e.g.,
discussion groups, bulletin boards, chat services, unsecured web sites,
etc.).
Examples of inappropriate transmissions:
a.
Sending sensitive Hospital information in an e-mail or as an
attachment to an e-mail to your home e-mail account.
b.
Using standard unencrypted or otherwise unsecure e-mail for
communications with patients and other healthcare consumers.
D.
Sanctions. Violations of this policy could lead to disciplinary measures up to
and including termination of employment or business relationship. Suspected
violations of this policy are to be handled in accordance with the Hospital’s
disciplinary policies.
PRODCEDURES:
A.
Communications Uses: In the use of electronic communication mechanisms,
Users must maintain these procedures in carrying out the appropriate use of
electronic communications.
1.
Computer Viruses. Every User must take reasonable precautions to
avoid introducing viruses into the Hospital’s network. Files from the
Internet should not be downloaded unless approved by your supervisor
and as needed to perform User’s job function, or e-mail attachments from
outsiders opened, without first scanning the material with IS-approved
virus checking software. For example, users should not download screen
savers.
a.
All Users must have the Hospital’s standard anti-virus utility
properly installed and running on their PCs;
b.
All Users must keep virus signature files updated pursuant to IS
Standards; and
c.
All Users must be aware that when they receive an e-mail from an
unknown source with an attachment they should be skeptical about
the message and they must delete the message/attachment without
opening the message and/or attachment.
2.
Internet/Network Connections.
a.
Accessing the Internet or other Non-Hospital network directly, by
modem or alternate provider, while connected to the Hospital
network is strictly prohibited.
For Example: A User must not dial-out to unauthorized Internet Service
Provider (ISP) or services (e.g., American Online (AOL)) due to the lack of
boundary protection with adhoc connections.
b.
Users accessing the Internet or other Non-Hospital network through
a computer attached to the Hospital’s network may do so only
through approved connections and methods (e.g., firewall/proxy or
virus wall) to establish boundary protection. A contract/agreement
must be established prior to the establishment of network
connections and communication and/or the exchange of electronic
information assets. The involved parties will agree to exchange
and provide for the confidentiality and integrity of the exchanged
electronic information assets.
For Example: Business Associates will be connected through an approved vendor
firewall method when an agreement is established.
c.
Users will use only Hospital e-mail services on Hospital equipment
and network. Users must not access Non-Hospital e-mail services.
These e-mail services may introduce viruses to the Hospital
network when a User checks his or her e-mail.
For Example: Users must not access e-mail services such as Hotmail, Yahoo, Lotus
Notes, etc.
3.
Remote Access Authentication. Users will be “strongly” authenticated
into the Hospital’s network when accessing the network from off-premise
locations. Strong authentication requires the use of something more than
a network user-ID and password such as a token or certificate PIN
number as defined in the IS Security Standards. Due to the nature of
changing technologies, the method to strongly authenticate an individual,
process or program will be defined in the IS Security Standards.
4.
Internet Use. The Hospital is not responsible for material viewed or
received by Users on or from the Internet. Users are only to access or
download materials from appropriate Internet sites in accordance with the
Code of Conduct.
5.
Records Management. Messages and documents transmitted
electronically may be considered official business records of the Hospital
and are therefore subject to the Hospital’s Records Management Policy
______.
The originator/sender of the message or other electronic transmission (or the
recipient if the sender is outside the Hospital) is the person responsible for
retaining the message or transmitted information. E-mail messages may be
retained in electronic form in the mailbox, or printed and filed along with other
documents related to the same topic or project. Users may delete messages
pursuant to the Records Management Policy _____, or that are being retained in
printed form.
6.
Size Requirements. The Hospital’s e-mail and Internet access systems
do not have unlimited transmission or storage capacity. For this reason,
IS will establish limits on message size, mailbox size, and volume of
messages. Some of these limits are configured in the system, while
others depend on judicious use of e-mail features.
a.
b.
B.
Users are to use file compression utilities on large files to reduce
the size of attachments before sending a message in an e-mail
attachment. For example, files greater than two (2) megabytes
should be compressed.
Users are not to include clipart or other graphics in the autosignature feature. Users are to avoid using message background
designs because they increase the size of an e-mail message.
Unacceptable Uses. The Hospital’s Internet access, e-mail, or other electronic
communications may NEVER be used in any of the following ways:
a.
To harass, intimidate, or threaten another person.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
m.
n.
o.
p.
C.
To access or distribute obscene, sexually explicit, abusive, libelous,
or defamatory material.
To distribute copyrighted materials that are not authorized for
reproduction/ distribution.
To impersonate another user or mislead a recipient about your
identity.
To access another person’s e-mail, if you are not specifically
authorized to do so.
To bypass system security mechanisms.
To transmit unsecured patient identifiable or other sensitive
Hospital information.
To initiate or forward chain letters or chain e-mail.
To send unsolicited mass e-mail (“spamming”) to persons with
whom the User does not have a prior relationship.
To participate in political or religious debate.
To automatically forward messages (e.g., with mailbox rules) to
Internet e-mail addresses.
To communicate the Hospital’s official position on any matter,
unless specifically authorized to make such statements on behalf of
the Hospital.
To pursue business interests that are unrelated to the Hospital.
To conduct any type of personal solicitation.
To deliberately perform acts that waste computer resources or
unfairly monopolizes resources.
For any purpose, which is illegal, against Hospital policy, or
contrary to the Hospital’s best interests.
Policy Exceptions
The IS Security key contact will establish a security governance process at the
corporate level to review and approve policy exceptions. Exception approval will
be based upon risk management reflecting appropriate, reasonable and effective
security measures for a given situation.