1. General Information Collection
The only personal information we collect through the web site is the information you voluntarily provide. The only other type of information we collect is your current IP address. This IP address is a number that is assigned to your computer when you access the Internet. It is necessary to allow communication between the different computers which comprise the Internet. This information is entered, in aggregate, into a log, which helps us track usage on our Web Site.
2. Limitations on Disclosures
As FSL transitions to electronic health records and other systems, protection practices and procedures have become correspondingly more sophisticated.
User-authentication is required at every level: Network logon, for each application software, and special remote access to the network, and device management are additionally protected. Within each of our enterprise applications, read-write access is tiered, so that one’s “privileges” control the type of access. Emails via cell phones are limited and all network uses are forced to use an encryption system that requires a set-up between the staff member and anyone outside our agency before the email can be sent. Stick-drives and other storage devices are disallowed and typically disabled by special software. Drilling down into our electronic health records, one would find that all sections of client privacy information access are based on a need-to-know basis.
As concerns general protections: Staff are trained annually in HIPAA and Privacy protections. Using a 3rd party tool (Clear Water Compliance Software), FSL’s IT Department has completed a comprehensive system audit that is in full compliance with the Office of Medicaid Inspector General’s (OMIG’s) HITECH requirements. Using the results of the audit, we addressed all items that indicated any weakness to data integrity or to unauthorized network access.
FSL’s User Technology Acceptance is a document contained in the Employee Handbook which each user must sign/acknowledge before being given any access to any FSL systems. Users must acknowledge their reviewing of best practices and FSL policies on a yearly basis via a cloud-based Learning Management System administered by our HR Department. Our Internal IT policies are continuously updated and documented in a shared OneNote (Microsoft) Directory. Inventory of all hardware and software are kept in SpiceWorks (software to be reconciled and evaluated for its ability to work with network security software).
Other Data-Privacy Protections: Key to privacy protections from external intrusions is having the right hardware. FSL has 20 virtualized servers on an enterprise class IBM host in a certified SSAE 16 SOC II “private cloud” with multiple layers of security as well as environmental protection systems throughout the physical plant. Mission critical systems are replicated in a separate SSAE 16 SOC II private cloud. The overall system is monitored 24/7 by a computer support company. FSL employs several layers of security to keep out hackers, intruders, viruses, and other potential system disruptions or damage.
FSL maintains a Disaster Recovery/Business Continuity Plan/Process. Disaster Recovery scenarios tested on a yearly basis. (Information needed to implement DR is available to IT and Executive Team members from any Internet connected device.)