A-27

POLICIES AND PROCEDURES

Information
Title Security
Policy
Effective/
April 1, 2016
Updated
Paul Collier,
Data and
Prepared by
Evaluation
Manager
Blia Moua, https://sites.google.com/site/etosoftware
Reference
Senior helpmanual/faqs/security-faqs; HIPAA;
Approved by Program Welf. & Inst. Code, 18961.7
Manager -
Operations
Review Date January 2017
All Staff to
acknowledge
Distribution
via signature at
hire

PURPOSE:
The San Francisco Child Abuse Prevention Center (SFCAPC) recognizes the importance of
maintaining the security and confidentiality of client, employee, volunteer, and donor personal
information through technological and physical safeguards, employee training, and effective
controls. This Information Security Policy outlines the administrative, technical, and physical
methods we use to protect confidential information and to comply with our obligations under
applicable state and/or federal laws. This policy applies to all activities carried out by SFCAPC staff.

This supplements other organizational policies that outline information security and confidentiality
expectations. The privacy of SFCAPC donors is governed by the Donor Privacy Policy.
Collaborative partner work (i.e., the Childrens Advocacy Center of San Francisco and SafeStart
Collaborative) have supplemental privacy policies as outlined in the last section of this document.
Employees are expected agree to the Employee Confidentiality Agreement & Oath of
Confidentiality Regarding Client Information.

OBLIGATIONS:
Obligations to protect client information that SFCAPC must comply with include:
HIPAA: HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA is
a federal law that sets a national standard to protect medical records and other personal
health information. The rule defines "protected health information" (PHI) as health

1
 A-27

information that: 1. Identifies an individual and 2. Is maintained or exchanged electronically

or in hard copy. Examples of Protected Health Information we collect and store at SFCAPC
are:
o Names
o Addresses
o Mental health diagnoses
These examples do not represent an exhaustive list of PHI at SFCAPC. Each staff member
is responsible for protecting information that may individually identify a client.

Additionally, SFCAPC is committed to protecting the personal information of donors and

employees, as defined as an individuals first name and last name or first initial and last name in
combination with any one or more of the following:
Social Security Number
Drivers license number or state-issued identification card number
Financial account number or password that would permit access to a persons financial
account
Date of Birth

POLICY:
The amount of personal information collected and shared by SFCAPC will be limited to the amount
reasonably necessary to accomplish our organizational mission and to comply with other state and
federal laws and regulations.

To protect information security, SFCAPC employees, interns, TALK Line volunteers and any other
volunteers with access to confidential electronic data are expected to:
Read the Information Security Policy, and acknowledge receipt of this plan upon hire via
signature.
Complete all required DPH annual compliance and privacy trainings, which address HIPAA,
information privacy, and the DPH Code of Conduct (SFCAPC employees and interns
Only).
Access only the confidential client information required to the tasks assigned.
Change electronic passwords to systems that contain confidential information regularly.
Passwords should contain at least eight characters with at least one numeric and
alphanumeric character. Access to any files that contain passwords should be restricted in
the same manner as confidential client information.
Access applications containing protected health information via secured, private networks.
Report suspicious or unauthorized use of confidential information to the Sr. Program
Manager - Operations.
Safely store all paper files and other records (in any form) containing personal information in
locked cabinets.
Safely store all digital files containing personal information on the server or on the hard
drive of SFCAPC computers.
Dispose of any paper records with personal information by shredding them.
If leaving the organization, return all records containing personal information, including all
such information stored on laptops or other portable devices or media, and in files, records,
work papers, etc.

2
 A-27

Similarly, employees, interns, TALK Line volunteers any other volunteers with access to confidential
electronic data are prohibited from:
Keeping open files containing personal information on desks or open on computers while
away from work areas.
E-mailing client names, either in the body of an email or in attachments to outside providers.
Emailing client names to other agency staff is acceptable to those with a sfcapc.org email
address only.
Discussing client matters or mentioning client names in spaces where other clients or
employees unaffiliated with their case may overhear.
Sharing usernames and passwords, allowing multiple individuals to use the same log-in
information for an application that contains PHI.
Storing PHI on personal laptops or other devices not owned by SFCAPC.
Accessing PHI on any device via a public wireless networks.
Removing any physical records of PHI from the premises.

Additionally, SFCAPC managers are expected to:

Ensure that employees, interns, TALK Line volunteers any other volunteers with access to
confidential electronic data are aware of information security policies and complete required
trainings.
Immediately contact the Sr. Program Manager - Operations whenever an information
security violation is discovered or suspected.

Violation of the Plans security provisions will result in discipline, up to and including termination,
based upon the nature of the violation and the nature of the personal information affected,

PROCEDURE:
SFCAPC maintains a number of procedures to protect the security of confidential client and
employee information, including:

Training
Upon hire, all SFCAPC employees, interns, TALK Line volunteers and any other volunteers
with access to confidential electronic data must read and acknowledge receipt of the
Information Security plan in writing.
Annually, all SFCAPC employees and interns must complete compliance and privacy
trainings administered by the San Francisco Department of Public Health.

System Controls for Digital Access

Access to the SFCAPC server and network is restricted to active employees and interns with
active user accounts only. System settings require users to change their network log-in
password every 90 days. The password must contain at least 8 characters, with at least one
lower and uppercase character, and at least one number or symbol. Additionally, folders on
the server can be restricted such that only specified users have access.
Access to applications which contain confidential information is given only after
authorization by the individuals supervisor.
Firewalls are in place at the network and workstation level to protect against unauthorized
access, and anti-virus and anti-malware software is installed on all SFCAPC machines.

3
 A-27

SFCAPCs third-party IT provider 24hourtek monitors network traffic continuously, has

automated alerts for suspected threats, and follows up on all alerts immediately to ensure
network security.
SFCAPC wireless access is password-protected.
A separated employees electronic access to personal information will be blocked
immediately when they are no longer employed by the organization.

Process Controls for Digital Access

As employees, interns, TALK Line volunteers any other volunteers with access to
confidential electronic data leave the organization, the person responsible for each
application which contains confidential information will block access immediately. Personnel
responsible for each application include:
o Raisers Edge - Development Manager
o FundEZ Chief Financial Officer
o ADP HRIS Human Resources Manager
o CMS - Sr. Program Manager - Operations
o CARBON - Sr. Program Manager - Operations
o Efforts to Outcomes - Data and Evaluation Manager, Waller
o Childrens Advocacy Center San Francisco Database - Client Services Advocate and
Data Manager, Third St.
o Active Directory - 24hourTek
o Google Apps - 24hourTek
Access to confidential client information in ETO is restricted via user profiles.
Each quarter, the Data and Evaluation Manager performs a review of all active ETO user
accounts to verify that all user access is appropriate.

Physical Access
Access to SFCAPC physical facilities are protected via key codes and ID badges - only
employees, interns, and certain volunteers are provided key codes / ID badges.
A separated employees physical access to personal information will be blocked immediately
upon termination. Separated employees must return all PHI, as well as keys, badges, and any
other item that permits access to SFCAPC.
Client files are kept in locked cabinets when they are not in use. A Check-out log is kept
and monitored by the Client Care and Programs Support team. Any files not returned to the
file cabinets are researched in a timely manner
SFCAPC laptops are kept in locked cabinets when they are not in use. A Check-out log of
all laptops and other Information Technology equipment is kept and monitored by the
Client Care and Programs Support team. Any pieces of equipment not returned to the
equipment cabinets are researched in a timely manner
Client files are reviewed on an annual basis to identify files for clients who are no longer
active. Inactive client files are stored separately from active client files in a secure location.
The SFCAPC server is housed on-site at the organizations Waller St. location. Log-in access
to the server is only provided to system administrators.

Visitors and Contractors

Visitors physical access to SFCAPC is restricted in the same manner as SFCAPC employees.
Additionally, visitors may not access client files or confidential client information maintained
on information systems.

4
 A-27

Any contractor whose role requires access to confidential client information must complete
SFCAPCs Business Associate Agreement.

Data Sharing
All requests to share data with an individual or organization outside SFCAPC must be
approved by a member of the Senior Management Team or the Senior Program Manager -
Operations. Requests will be considered on a case-by-case basis.
In general, no Protected Health Information may be shared with outside parties without
specific permission from the client. This includes name, date of birth, address, zip code,
phone number, and Social Security Number.

SPECIAL CONSIDERATIONS:
CHILDRENS ADVOCACY CENTER OF SAN FRANCISCO POLICY:
Please refer to the following documents for more detail on information security in the context of the
Childrens Advocacy Center of San Francisco (CAC-SF).
CAC-SF Memorandum of Understanding (MOU) - Article 5, section 5.8: recognizes and
confirms a shared commitment to childrens confidentiality, collaboration, communication
for CAC-SF cases, and information sharing.
Data Sharing Agreement (an addendum to the MOU): A legal agreement among the CAC
partners with respect to both non-electronic and electronic data sharing and CAC client
information storage among the CAC-SF Multi-Disciplinary Team (CAC-SF MDT) for the
purpose of child abuse investigation, prevention, identification, or treatment.
CAC-SF MDT Data Sharing Protocol: Outlines the implementation of the Data Sharing
Agreement.
CAC-SF Partners share data in person, over the phone, and in limited electronic means,
including email, under the Child Abuse MDT provisions in California law. (Welf. & Inst.
Code, 18961.7.)

SAFESTART COLLABORATIVE POLICY:

Please refer to the following document for more detail on information security in the context of the
SafeStart Collaborative.
SafeStart Subcontract Agreements - Agreement among SafeStart Partners which authorizes
sharing of information specific to the collaborative among partner agencies.

DONOR PRIVACY POLICY:

Please refer to the following document for more detail on information security in the context of
fundraising activities:
Donor Privacy Policy Defines protected donor information, and guidelines followed for
maintaining donor privacy.

EMPLOYEE CONFIDENTIALITY AGREEMENT & OATH OF CONFIDENTIALITY:

Please refer to the following document for more detail on SFCAPCs confidentiality expectations:
Employee Confidentiality Agreement & Oath of Confidentiality Outlines expectations
around safeguarding confidential information disclosed to employees and interns.

OTHER LAWS AND POLICIES:

This Policy is intended to supplement and not replace or supersede applicable federal and state laws.

5
 A-27

I have received the information security policy, read it, and understand what is expected of me to
protect client information.

__________________________________________
Signature

__________________________________________
Name (printed)

__________________________________________
Date