WHO IS ACCREDITED?

Private Organization Accreditation

Money Management International is a nationwide nonprofit organization that provides counseling and education related to credit, housing and bankruptcy, and offers debt management assistance if needed. MMI also conducts community education programs in the areas where we have a physical presence.
read more >>

ORGANIZATION TESTIMONIAL

Orange County Government, Youth & Family Services Division

Rodney J. Hrobar Sr., LMHC, CPP, Quality Assurance Manager

As the lead agency in Orange County, providing the safety net for children and families, it is reassuring that our clients can be confident that their needs will be addressed in accordance with the most stringent standards of public, as well as private, accountability as monitored and reviewed by the Council on Accreditation. 
read more>>

Purpose

Comprehensive, systematic, and effective risk prevention and management practices reduce the organization’s risk, loss, and liability exposure.

FOC
CA-RPM 6: Security of Information

Electronic and printed information is protected against intentional and unintentional destruction or modification, and unauthorized disclosure or use.

Interpretation: The standards in this section address security of all types of records, including case records, administrative, financial, health, and personnel records, unless otherwise noted. See also CA-RPM 7 Case Records and CA-RPM 8 Access to Case Records.

Rating Indicators
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the CA-RPM 6 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the CA-RPM 6 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the CA-RPM 6 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the CA-RPM 6 Practice standards.

Table of Evidence

Self-Study Evidence On-Site Evidence On-Site Activities
    • Data security policies and procedures (CA-RPM 6.01, CA-RPM 6.03, CA-RPM 6.07) 
    • Procedures for the maintenance and disposal of case records (CA-RPM 6.02)
    • Organization website URL, as applicable (CA-RPM 6.04)
    • Policies and guidelines on the use of social media, electronic communications, and mobile devices (CA-RPM 6.05)
    • Procedures for managing data interruptions/disaster recovery plan (CA-RPM 6.06)
    • Agreements with third parties (e.g., information technology vendors), when applicable
    • Interview:
      1. Finance personnel
      2. PQI personnel
      3. Information system manager
      4. Program directors
      5. Direct service personnel
    • Case record room/files and information system accessibility observation

  • CA-RPM 6.01

    The organization protects confidential and other sensitive information from theft, unauthorized use, disclosure, damage, or destruction by:

    1. limiting access to authorized personnel on a need-to-know basis;
    2. using firewalls, anti-virus and related software, and other appropriate safeguards;
    3. monitoring security measures on an ongoing basis;
    4. having the ability to remotely wipe or disable mobile devices, if applicable; and
    5. maintaining paper records in a secure location.

    Interpretation: The organization may limit access to authorized personnel by:

    • limiting access based on staff role within the organization;
    • ensuring the electronic system requires strong passwords/passcodes for access to confidential information, requires passwords/passcodes to be regularly changed, locks the user out of the system for incorrect log in attempts, and automatically times out after a period of inactivity, and prompts reauthentication;
    • disabling the equipment, passwords and access of former employees; and
    • ensuring the system is capable of recording the person accessing confidential information in the system, and records when information is altered or deleted, also known as audit logs.

    Interpretation: An employee separation checklist is a helpful tool that can be used to ensure that all equipment is returned and network connections are disabled when a staff member leaves the organization.  

    Interpretation: Regarding element (d), organizations should have the ability to remotely disable, deactivate, and/or wipe data in the event that a device is lost, stolen, repurposed, or discarded. 

    Interpretation: Organizations may also consider encryption and/or secure networks in order to reasonably and appropriately safeguard confidential and other sensitive information. 

    Interpretation: The organization needs to consider both safety and security when deciding where and how to store and maintain its records. Other important considerations include information taken off-site by staff and online access to the organization’s electronic system. The organization should develop a system that best fits its needs and circumstances.

    Secure storage of paper records may include:

    • locked file cabinets;
    • a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
    • a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys. Organizations may also consider using fireproof file cabinets; metal file cabinets; a sprinkler system; or not storing records in basements in areas that are prone to flooding.
    Organizations may also consider using:
    • fireproof cabinets;
    • metal file cabinets; 
    • a sprinkler system; or 
    • not storing records in basements in areas that are prone to flooding.

    Note: Please see Facility Observation Checklist - Private, Public, Canadian for additional assistance with this standard.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g., 
    • Some aspect of the organization's data security procedures needs strengthening; or
    • With few exceptions procedures are understood by staff and are being used.
    3
    Practice requires significant improvement; e.g.,
    • There is a major deficiency in at least one of the listed elements resulting in a significant risk to the organization; or
    • There have been instances of unauthorized access to confidential or sensitive information; or
    • Procedures are not well-understood or used appropriately.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • CA-RPM 6.02

    Unless otherwise mandated by law, the organization maintains case records as follows:

    1. for at least seven years after case closing for adults;
    2. until the age of majority or seven years after case closing, whichever is longer, for minors; and
    3. disposes of records in a manner that protects privacy and confidentiality in the event of the organization’s dissolution.

    Interpretation: Proper disposal of paper and electronic records can include: shredding paper records, clearing electronic files when computers are replaced or reassigned, and destroying electronic media such as flash drives.

    Interpretation: Credit counseling organizations are required to maintain case records for a minimum of one year unless otherwise mandated by law.

    NA The organization provides only Community Change Initiatives (CCI), Early Childhood Education (ECE), Social Advocacy (SOC), Youth Development (YD,) non-clinical group, crisis intervention, and/or information and referral service. 

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g.,
    • One of the  elements needs strengthening; or
    • With few exceptions procedures are understood by staff and are being used.
    3
    Practice requires significant improvement; e.g.,
    • One of the elements has not been addressed at all; or
    • Procedures are not well-understood or used appropriately.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • CA-RPM 6.03

    Confidential information, when electronically transmitted, is protected by safeguards in compliance with applicable legal, regulatory, and/or contractual requirements.

    Interpretation: Staff who deliver services using electronic media, including telephone and computer, discuss associated risks with service recipients.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g.,
    • Legal or regulatory requirements have not been recently reviewed.
    3
    Practice requires significant improvement; e.g.,
    • The organization is aware of compliance problems and is working to remediate deficiencies; or
    • The organization has been notified of compliance problems and is working with the relevant authority to remediate deficiencies.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
    • The organization is aware of compliance problems and is not working to remediate deficiencies; or
    • The organization has been notified of compliance problems but there is no evidence that efforts are being made to remediate deficiencies.

  • CA-RPM 6.04

    A privacy policy is posted on the organization’s website to inform website visitors about: 

    1. what information is being collected; and 
    2. how that information is being gathered, used, shared, and protected.

    Interpretation: Website visitors should be informed that activity on third-party websites and applications is subject to third-party privacy and/or data policies, which may override the organization’s own privacy policy. Organizations need to evaluate their use of third-party platforms to ensure compliance with applicable legal and confidentiality requirements. 

    NA The organization does not maintain a website.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g., 
    • The website privacy policy needs strengthening.
    3
    Practice requires significant improvement; e.g.,
    • The website privacy policy is inadequate.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • CA-RPM 6.05

    The organization has policies and guidelines addressing the use and monitoring of:

    1. social media;
    2. electronic communications; and
    3. mobile devices, including staff-owned devices, if applicable. 

    Interpretation:  “Social media and electronic communications” include a variety of applications and websites used to create and share content, for example: 

    • the organization’s own website; 
    • external websites;
    • email;
    • texting; 
    • blogs;
    • social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
    • wikis; and
    • discussion forums. 
    Risks associated with the use of social media and electronic communications may include:
    • unauthorized or prohibited contact between staff and service recipients;
    • unauthorized or inappropriate use of organization logos or trademarks;
    • personal comments or opinions that can be misconstrued as representing the views of the organization, or misrepresent the organization;
    • inadvertent or deliberate disclosure of confidential or proprietary business information; and
    • inadvertent or deliberate disclosure of confidential or protected information about service recipients.
    Interpretation: A social media policy could address: 
    • the organization’s definition of “social media”;
    • responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
    • prohibited forms of communication; 
    • the appropriate use of social media, including confidentiality and privacy considerations; and/or
    • consequences for failure to follow the policy and/or related guidelines. 
    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g.,
    • Some aspects of policy or guidelines need further development.
    3
    Practice requires significant improvement; e.g.,
    • The policy and/or guidelines are very basic and provides minimal guidance to staff; or
    • Policy and guidelines are not well-understood by staff; or
    • Guidelines are frequently not being followed; or
    • Policy and/or guidelines are still under development and have only been partially implemented.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • CA-RPM 6.06

    The organization is prepared for the interruption of data and limits the disruption to its operations and service delivery by:

    1. maintaining procedures for managing data interruptions and resuming operations;
    2. notifying staff of procedures for data interruption;
    3. backing up electronic data regularly, with copies maintained off premises;
    4. regularly testing the organization’s back up plan, including data restoration processes;
    5. maintaining contact information for all staff and volunteers; and
    6. developing procedures for alternative methods of communication with staff and stakeholders during periods of disruption.

    Interpretation: The standards in CA-ASE 7 provide additional requirements for emergency response planning. CA-RPM 6.06 applies to any instance of prolonged data disruption, regardless of whether there is a corresponding emergency. 

    Interpretation: Maintaining data off premises may include the use of secure cloud storage systems. 

    Interpretation: Procedures for managing data interruptions should address both planned and unplanned periods of downtime. 

    Research Note: A disaster recovery plan is a set of procedures put in place to protect and recover an organization’s IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the organization’s administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred. 

    Factors that increase the effectiveness of a disaster recovery plan include: training staff on response procedures; practicing procedures/conducting downtime drills; testing disaster recovery systems on an ongoing basis; and monitoring plan implementation.

     

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    An emergency plan or continuation of operation plan exists that addresses all elements of the standard.  
    2
    Practices are basically sound but there is room for improvement; e.g.,
    • Some aspects of the plan and/or procedure need further development.
    3
    Practice requires significant improvement; e.g.,
    • The plan and/or procedure is very basic and provides minimal guidance to staff; or
    • The plan and/or procedure are still under development and have only been partially implemented.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • CA-RPM 6.07

    The organization ensures its electronic system for managing health records or protected health information:

    1. operates in compliance with applicable legislation, regulations, and/or contracts; and
    2. limits access to information in accordance with service recipient/client privacy preferences and confidentiality rules to the greatest extent possible.

    Interpretation: Regarding element (b), if the electronic health record system employed by the organization is not able to meet all client privacy preferences and/or all of the necessary confidentiality rules, the organization informs the service recipient of the system’s limitations and obtains consent for the exchange of electronic health information based on those restrictions. 

    Note: The system must also comply with all relevant standards in RPM related to the management of information, technology, and case records. 

    NA The organization does not electronically manage health records or protected health information.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g., 
    • Procedures for monitoring and maintaining legal compliance require greater clarity or specificity.
    3
    Practice requires significant improvement; e.g.,
    • Practices have not been reviewed for compliance in over one year; or
    • The organization is aware of compliance problems and is working to remediate deficiencies; or
    • The organization has been notified of compliance problems and is working with the relevant authority to remediate deficiencies.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
    • The organization is aware of compliance problems and is not working to remediate deficiencies; or
    • The organization has been notified of compliance problems but there is no evidence that efforts are being made to remediate deficiencies.
Copyright © 2018 Council on Accreditation. All Rights Reserved.  Privacy Policy and Terms of Use