Email and Internet Usage Policies - Essay Example

Introduction My company’s email policies are necessarily strict, however, they do not address situations that have occurred lately. There are policies in place to address workplace gossip, libelous statements and threats of physical violence. They also address emailing friends or family while working, though there is some allowance for personal email on breaks or lunch hours. As a heath care corporation, emails that contain patient information are restricted to associates within the workplace, and only when necessary. Accessibility All outgoing and incoming email is processed through the company’s server and monitored by a group of system administrators. There are normally three working on each standard 8hour shift, though some work 12 hour shifts as well. All employees who have access to the corporate intranet also have access to the internet. Everyone who has access is issued a username and password by IT staff, when initially hired. Usernames and passwords are only changed upon request by the individual employee. Email username and password should be different from those used to log on to the system. All employees are encouraged to set up their accounts in this manner. Corporate Policy Upon orientation, which all new staff must go through, rules and regulations regarding use of the company intranet and email system are clearly spelled out, in a specific section of the employee handbook. Instructions are also given on how to handle setting up new accounts, dealing with technical support issues and any other questions regarding the intranet or email. New employees meet with at least one member of the IT staff during orientation. Each new employee is visited by a member of IT staff within 24 hours, if contact via email or phone does not solve a specific problem an employee has. Specific policy regarding email applies to all employees, whether administrative, health care, support or maintenance staff. For health care or medical records staff who may have frequent contact with other care providers, policies regarding patient information are reviewed during orientation. It is acceptable for health care staff to email others within the organization on patient status or other pertinent information, particularly when some new records have not been scanned into the system. However, health care workers are encouraged to fax necessary records or supporting documents. Health care staff within the organization are encouraged to print pertinent emails regarding patient status, attach them to patient records, then delete messages. All messages are automatically deleted after 3 days. Archiving of email messages is discouraged, as it poses a risk of patient information falling into the wrong hands, though the risk is slim. Protecting Data Patient documents or records attached to emails are strictly forbidden. In keeping With HIPPA regulations, email is encrypted for security. Further, “any email containing PHI(Patient Health Information) is required to contain the official HIPPA Notice” (HIPPA Procedure 5123PR.1). Health care staffs are restricted from sending email with patient information to other facilities outside our organization. This does not apply to satellite offices for specialty and other clinics. Each clinical or medical department and floor has at least two working fax machines, and use of them for sending of medical information not scanned in to the system is encouraged as the preferred method over email. Monitoring and Enforcement Monitoring of email is random. IT staff administrators are the only staff who can monitor activity. “The IT departments at some large companies could be taking a do-it- yourself approach to employee monitoring” (Schulman, 2001). Our IT department has developed its own monitoring system, which is tailored to the needs for individual selectivity, as opposed to using a product such as MIMEsweeper or MailGear. While personal email is discouraged, it is allowed on break times. Often health care staffs work long shifts, so contact with family members via email is permitted. This activity is left to department heads or supervisors to monitor. Though emails may be deleted after sending, those that are considered libelous, Threatening, Spam or otherwise considered abusive will be handled by IT staff, who are required to report such actions to the main system administrator and facility security supervisor. Employees who are found to take part in such activity are required to report to Human Resources for scheduling of mental health evaluation. They are also restricted from email and intranet access for a period of sixty days. For forged origination headers, an employee who is caught is handled in the same manner. Because monitoring is random, all activity may not be caught. However, employees Who receive libelous or threatening emails are encouraged to report the activity to their Immediate supervisor and an IT administrator as well, for further evaluation. Forging of origination headers may result in up to two weeks suspension without pay. This policy is strict, as forgery of any intranet communications, including email is considered as serious as any forged document. Any subsequent offense of forged email headers, threats or libelous statements may result in termination, at the discretion of Human Resource administrators. Though spoofing is rare, due to encryption procedures of all system email, employees are instructed to be alert for any suspicious email, “claiming to be from a system administrator requesting users to change their passwords to a specified string or claiming to be from a person in authority requesting the user to send a copy of a password, file or other sensitive information” (CERT Coordination Center). Policy also states that for emails in question, the recipient is not required by our organization to respond or provide sensitive patient information. No employee can be terminated for failure to comply to an email in question. Recently, with expansion of facility services and additional patient care departments, many new employees have been hired. Some question validity of emails from employees of other departments. Departments spend more time on the phone, verifying new staff members. Proposed improvements include sending lists of all new employees on a weekly basis, to each patient care department and medical records, which lists the employee name and email email only. Some department heads have complained about employee abuse in sending personal email on company time. Proposed increased monitoring of specific employees is encouraged. Department heads and supervisors must speak with an IT administrator about the situation, providing the employee name. As all employees log in and out, including break times, increased or continuous monitoring may be put in place, to compare times of personal emails with break times. All infractions will result in counseling of employees. Further action may be taken by HR administrators if the abuse continues. New policies are designed as specific needs arise, by IT staff surveying and meeting staff and supervisors of all departments. When a new policy or procedure is adopted, memos are hand delivered to all departments immediately. They are not generally updated very often. Emails are also sent to each registered user, for more complete distribution of new policy. References CERT Coordination Center. Spoofed/Forged Email. Retrieved October 23, 2007 from http://www.cert.org/tech_tips/email_spoofing.html. HIPPA Procedure 5123PR.1. General Electronic Communication of ePHI. Retrieved October 23, 2007 from http://www.yale.edu/ppdev/Procedures/hipaa/ 5123/5123PR1.pdf. Schulman, A. (2001). The Extent of Systematic Monitoring of Employee E-mail and Internet Use. Retrieved October 22, 2007 from http://www.sonic.net/~undoc/extent.htm# Read More