Beruflich Dokumente
Kultur Dokumente
PURPOSE:
The San Francisco Child Abuse Prevention Center (SFCAPC) recognizes the importance of
maintaining the security and confidentiality of client, employee, volunteer, and donor personal
information through technological and physical safeguards, employee training, and effective
controls. This Information Security Policy outlines the administrative, technical, and physical
methods we use to protect confidential information and to comply with our obligations under
applicable state and/or federal laws. This policy applies to all activities carried out by SFCAPC staff.
This supplements other organizational policies that outline information security and confidentiality
expectations. The privacy of SFCAPC donors is governed by the Donor Privacy Policy.
Collaborative partner work (i.e., the Childrens Advocacy Center of San Francisco and SafeStart
Collaborative) have supplemental privacy policies as outlined in the last section of this document.
Employees are expected agree to the Employee Confidentiality Agreement & Oath of
Confidentiality Regarding Client Information.
OBLIGATIONS:
Obligations to protect client information that SFCAPC must comply with include:
HIPAA: HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA is
a federal law that sets a national standard to protect medical records and other personal
health information. The rule defines "protected health information" (PHI) as health
1
A-27
POLICY:
The amount of personal information collected and shared by SFCAPC will be limited to the amount
reasonably necessary to accomplish our organizational mission and to comply with other state and
federal laws and regulations.
To protect information security, SFCAPC employees, interns, TALK Line volunteers and any other
volunteers with access to confidential electronic data are expected to:
Read the Information Security Policy, and acknowledge receipt of this plan upon hire via
signature.
Complete all required DPH annual compliance and privacy trainings, which address HIPAA,
information privacy, and the DPH Code of Conduct (SFCAPC employees and interns
Only).
Access only the confidential client information required to the tasks assigned.
Change electronic passwords to systems that contain confidential information regularly.
Passwords should contain at least eight characters with at least one numeric and
alphanumeric character. Access to any files that contain passwords should be restricted in
the same manner as confidential client information.
Access applications containing protected health information via secured, private networks.
Report suspicious or unauthorized use of confidential information to the Sr. Program
Manager - Operations.
Safely store all paper files and other records (in any form) containing personal information in
locked cabinets.
Safely store all digital files containing personal information on the server or on the hard
drive of SFCAPC computers.
Dispose of any paper records with personal information by shredding them.
If leaving the organization, return all records containing personal information, including all
such information stored on laptops or other portable devices or media, and in files, records,
work papers, etc.
2
A-27
Similarly, employees, interns, TALK Line volunteers any other volunteers with access to confidential
electronic data are prohibited from:
Keeping open files containing personal information on desks or open on computers while
away from work areas.
E-mailing client names, either in the body of an email or in attachments to outside providers.
Emailing client names to other agency staff is acceptable to those with a sfcapc.org email
address only.
Discussing client matters or mentioning client names in spaces where other clients or
employees unaffiliated with their case may overhear.
Sharing usernames and passwords, allowing multiple individuals to use the same log-in
information for an application that contains PHI.
Storing PHI on personal laptops or other devices not owned by SFCAPC.
Accessing PHI on any device via a public wireless networks.
Removing any physical records of PHI from the premises.
Violation of the Plans security provisions will result in discipline, up to and including termination,
based upon the nature of the violation and the nature of the personal information affected,
PROCEDURE:
SFCAPC maintains a number of procedures to protect the security of confidential client and
employee information, including:
Training
Upon hire, all SFCAPC employees, interns, TALK Line volunteers and any other volunteers
with access to confidential electronic data must read and acknowledge receipt of the
Information Security plan in writing.
Annually, all SFCAPC employees and interns must complete compliance and privacy
trainings administered by the San Francisco Department of Public Health.
3
A-27
Physical Access
Access to SFCAPC physical facilities are protected via key codes and ID badges - only
employees, interns, and certain volunteers are provided key codes / ID badges.
A separated employees physical access to personal information will be blocked immediately
upon termination. Separated employees must return all PHI, as well as keys, badges, and any
other item that permits access to SFCAPC.
Client files are kept in locked cabinets when they are not in use. A Check-out log is kept
and monitored by the Client Care and Programs Support team. Any files not returned to the
file cabinets are researched in a timely manner
SFCAPC laptops are kept in locked cabinets when they are not in use. A Check-out log of
all laptops and other Information Technology equipment is kept and monitored by the
Client Care and Programs Support team. Any pieces of equipment not returned to the
equipment cabinets are researched in a timely manner
Client files are reviewed on an annual basis to identify files for clients who are no longer
active. Inactive client files are stored separately from active client files in a secure location.
The SFCAPC server is housed on-site at the organizations Waller St. location. Log-in access
to the server is only provided to system administrators.
4
A-27
Any contractor whose role requires access to confidential client information must complete
SFCAPCs Business Associate Agreement.
Data Sharing
All requests to share data with an individual or organization outside SFCAPC must be
approved by a member of the Senior Management Team or the Senior Program Manager -
Operations. Requests will be considered on a case-by-case basis.
In general, no Protected Health Information may be shared with outside parties without
specific permission from the client. This includes name, date of birth, address, zip code,
phone number, and Social Security Number.
SPECIAL CONSIDERATIONS:
CHILDRENS ADVOCACY CENTER OF SAN FRANCISCO POLICY:
Please refer to the following documents for more detail on information security in the context of the
Childrens Advocacy Center of San Francisco (CAC-SF).
CAC-SF Memorandum of Understanding (MOU) - Article 5, section 5.8: recognizes and
confirms a shared commitment to childrens confidentiality, collaboration, communication
for CAC-SF cases, and information sharing.
Data Sharing Agreement (an addendum to the MOU): A legal agreement among the CAC
partners with respect to both non-electronic and electronic data sharing and CAC client
information storage among the CAC-SF Multi-Disciplinary Team (CAC-SF MDT) for the
purpose of child abuse investigation, prevention, identification, or treatment.
CAC-SF MDT Data Sharing Protocol: Outlines the implementation of the Data Sharing
Agreement.
CAC-SF Partners share data in person, over the phone, and in limited electronic means,
including email, under the Child Abuse MDT provisions in California law. (Welf. & Inst.
Code, 18961.7.)
5
A-27
I have received the information security policy, read it, and understand what is expected of me to
protect client information.
__________________________________________
Signature
__________________________________________
Name (printed)
__________________________________________
Date