WHO IS ACCREDITED?

Private Organization Accreditation

Children's Home Society of Florida delivers a unique spectrum of social services designed to protect children at risk of abuse, neglect or abandonment; to strengthen and stabilize families; to help young people break the cycle of abuse and neglect; and to find safe, loving homes for children.
read more >>

VOLUNTEER TESTIMONIAL

Harry Hunter, MSW, MBA, Ph.D.

Volunteer Roles: Peer Reviewer; Team Leader

Peer Reviewer for the month of January 2013, Dr. Hunter has been volunteering for COA since 2005, conducting five site reviews.
read more>>

Purpose

Comprehensive, systematic, and effective risk prevention and management practices reduce the organization’s risk, loss, and liability exposure.

FOC
RPM 6: Security of Information

Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.

Interpretation: Regulations that govern the protection of individually identifiable health information and set national standards for the security of electronic protected health information include the Health Insurance Portability and Accountability Act (“HIPAA” Privacy and Security Rule) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”).

Interpretation: The standards in this section address security of all types of records, including case records, administrative, financial, health, and personnel records, unless otherwise noted. See also RPM 7 Case Records and RPM 8 Access to Case Records.

Rating Indicators
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the RPM 6 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the RPM 6 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the RPM 6 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the RPM 6 Practice standards. 

Table of Evidence

Self-Study Evidence On-Site Evidence On-Site Activities
    • Data security policies and procedures, including HIPAA compliance, as applicable (RPM 6.01, RPM 6.03, RPM 6.07) 
    • Procedures for the maintenance and disposal of case records (RPM 6.02)
    • Organization website URL, as applicable (RPM 6.04) 
    • Policies and guidelines on the use of social media, electronic communications, and mobile devices (RPM 6.05)
    • Procedures for managing data interruptions/disaster recovery plan (RPM 6.06)
    • Agreements with third parties (e.g., information technology vendors, business associates, etc.),  when applicable
    • Interview:
      1. Finance personnel
      2. PQI personnel
      3. Information systems manager
      4. Program directors
      5. Direct service personnel
    • Case record room/files and information system accessibility observation
    • RPM 7 Case Records*

  • RPM 6.01

    The organization protects confidential and other sensitive information from theft, unauthorized use or disclosure, damage, or destruction by:

    1. limiting access to authorized personnel on a need-to-know basis;
    2. using firewalls, anti-virus and related software, and other appropriate safeguards;
    3. monitoring security measures on an ongoing basis; 
    4. having the ability to remotely wipe or disable mobile devices, if applicable; and
    5. maintaining paper records in a secure location.

    Interpretation: The organization may limit access to authorized personnel by:

    • limiting access based on staff role within the organization;
    • ensuring the electronic system requires strong passwords/passcodes for access to confidential information, requires passwords/passcodes to be regularly changed, locks the user out of the system for incorrect log in attempts, and automatically times out after a period of inactivity and prompts reauthentication;
    • disabling the equipment, passwords, and access of former employees; and
    • ensuring the system is capable of recording the person accessing confidential information in the system, and records when information is altered or deleted, also known as audit logs.

    Interpretation: An employee separation checklist is a helpful tool that can be used to ensure that all equipment is returned and network connections are disabled when a staff member leaves the organization.  

    Interpretation: Regarding element (d), organizations should have the ability to remotely disable, deactivate, and/or wipe data in the event that a device is lost, stolen, repurposed, or discarded. 

    Interpretation: Organizations may also consider encryption and/or secure networks in order to reasonably and appropriately safeguard confidential and other sensitive information. 

    Interpretation: The organization needs to consider both safety and security when deciding where and how to store and maintain its records. Other important considerations include information taken off-site by staff and online access to the organization’s electronic system. The organization should develop a system that best fits its needs and circumstances.

    Secure storage of paper records may include:

    • locked file cabinets;
    • a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
    • a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys.

    Organizations may also consider using:

    • fireproof cabinets;
    • metal file cabinets;
    • a sprinkler system; or
    • not storing records in basements in areas that are prone to flooding.

    Note: Please see Facility Observation Checklist - Private, Public, Canadian for additional assistance with this standard.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g., 
    • Some aspect of the organization's data security procedures needs strengthening; or
    • With few exceptions procedures are understood by staff and are being used.
    3
    Practice requires significant improvement; e.g.,
    • There is a major deficiency in at least one of the listed elements resulting in a significant risk to the organization; or
    • There have been instances of unauthorized access to confidential or sensitive information; or
    • Procedures are not well-understood or used appropriately.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • RPM 6.02

    Unless otherwise mandated by law, the organization maintains case records as follows:

    1. for at least seven years after case closing for adults;
    2. until the age of majority or seven years after case closing, whichever is longer, for minors; and
    3. disposes of case records in a manner that protects privacy and confidentiality in the event of the organization’s dissolution. 

    Interpretation: Proper disposal of paper and electronic records can include: shredding paper records, clearing electronic files when computers are replaced or reassigned, and destroying electronic media such as flash drives.

    Interpretation: Credit counseling organizations are required to maintain case records for a minimum of one year unless otherwise mandated by law.

    NA The organization provides only Community Change Initiatives (CCI), Early Childhood Education (ECE), Social Advocacy (SOC), Youth Development (YD,) non-clinical group, crisis intervention, and/or information and referral service.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g.,
    • One of the  elements needs strengthening; or
    • With few exceptions procedures are understood by staff and are being used.
    3
    Practice requires significant improvement; e.g.,
    • One of the elements has not been addressed at all; or
    • Procedures are not well-understood or used appropriately.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • RPM 6.03

    Confidential information, when electronically transmitted, is protected by safeguards in compliance with applicable legal requirements.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g.,
    • Legal or regulatory requirements have not been recently reviewed.
    3
    Practice requires significant improvement; e.g.,
    • The organization is aware of compliance problems and is working to remediate deficiencies; or
    • The organization has been notified of compliance problems and is working with the relevant authority to remediate deficiencies.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
    • The organization is aware of compliance problems and is not working to remediate deficiencies; or
    • The organization has been notified of compliance problems but there is no evidence that efforts are being made to remediate deficiencies.

  • RPM 6.04

    A privacy policy is posted on the organization’s website to inform website visitors about: 

    1. what information is being collected; and 
    2. how that information is being gathered, used, shared, and protected.

    Interpretation: Website visitors should be informed that activity on third-party websites and applications is subject to third-party privacy and/or data policies, which may override the organization’s own privacy policy. Organizations need to evaluate their use of third-party platforms to ensure compliance with applicable legal and confidentiality requirements.

    NA The organization does not maintain a website.

    Rating Indicators
    1
    The organization's practices reflect full implementation of the standard.
    2
    Practices are basically sound but there is room for improvement; e.g., 
    • The website privacy policy needs strengthening.
    3
    Practice requires significant improvement; e.g.,
    • The website privacy policy is inadequate.
    4
    Implementation of the standard is minimal or there is no evidence of implementation at all.

  • RPM 6.05

    The organization has policies and procedures addressing the use and monitoring of:

    1. social media;
    2. electronic communications; and
    3. mobile devices, including staff-owned devices, if applicable.

    Interpretation: “Social media and electronic communications” include a variety of applications and websites used to create and share content, for example: 

    • the organization’s own website; 
    • external websites;
    • email;
    • texting; 
    • blogs;
    • social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
    • wikis; and
    • discussion forums. 

      Risks associated with the use of social media and electronic communications may include:

      • unauthorized or prohibited contact between staff and service recipients;
      • unauthorized or inappropriate use of organization logos or trademarks;
      • personal comments or opinions that can be misconstrued as representing the views of the organization, or that present the organization in a negative light;
      • inadvertent or deliberate disclosure of confidential or proprietary business information; and
      • inadvertent or deliberate disclosure of confidential or protected information about service recipients.
      Interpretation: A social media policy could address: 
      • the organization’s definition of “social media”;
      • responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
      • prohibited forms of communication; 
      • the appropriate use of social media, including confidentiality and privacy considerations; and/or
      • consequences for failure to follow the policy and/or related guidelines. 
      Interpretation: Communicating via mobile devices is a growing trend in many fields that raises security concerns. HIPAA Privacy Rule permits covered health care providers to communicate electronically with service recipients as long as appropriate administrative, physical, and technical safeguards are in place. Organizations should inform service recipients about the risks associated with communicating electronically and obtain their consent prior to use.
      Rating Indicators
      1
      The organization's practices reflect full implementation of the standard.
      2
      Practices are basically sound but there is room for improvement; e.g.,
      • Some aspects of policy or guidelines need further development.
      3
      Practice requires significant improvement; e.g.,
      • The policy and/or guidelines are very basic and provides minimal guidance to staff; or
      • Policy and guidelines are not well-understood by staff; or
      • Guidelines are frequently not being followed; or
      • Policy and/or guidelines are still under development and have only been partially implemented.
      4
      Implementation of the standard is minimal or there is no evidence of implementation at all.

    1. RPM 6.06

      The organization is prepared for the interruption of data and limits the disruption to its operations and service delivery by:

      1. maintaining procedures for managing data interruptions and resuming operations;
      2. notifying staff of procedures for data interruption;
      3. backing up electronic data regularly, with copies maintained off premises;
      4. regularly testing the organization’s back up plan, including data restoration processes;
      5. maintaining contact information for all staff; and
      6. developing procedures for alternative methods of communication with staff and stakeholders during periods of disruption.

      Interpretation: The standards in ASE 7 provide additional requirements for emergency response planning. RPM 6.06 applies to any instance of prolonged data disruption, regardless of whether there is a corresponding emergency.

      Interpretation: Maintaining data off premises may include the use of secure cloud storage systems.

      Interpretation: Procedures for managing data interruptions should address both planned and unplanned periods of downtime. 
       

      Research Note: A disaster recovery plan is a set of procedures put in place to protect and recover an organization’s IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the organization’s administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred. 

      Factors that increase the effectiveness of a disaster recovery plan include: training staff on response procedures; practicing procedures/conducting downtime drills; testing disaster recovery systems on an ongoing basis; and monitoring plan implementation.

      Rating Indicators
      1
      The organization's practices reflect full implementation of the standard.

      An emergency plan or continuation of operation plan exists that addresses all elements of the standard.  
      2
      Practices are basically sound but there is room for improvement; e.g.,
      • Some aspects of the plan and/or procedure need further development.
      3
      Practice requires significant improvement; e.g.,
      • The plan and/or procedure is very basic and provides minimal guidance to staff; or
      • The plan and/or procedure are still under development and have only been partially implemented.
      4
      Implementation of the standard is minimal or there is no evidence of implementation at all.

    2. RPM 6.07

      The organization ensures its electronic system for managing health records or protected health information:

      1. operates in compliance with all applicable regulations; and
      2. limits access to information in accordance with client privacy preferences and confidentiality rules to the greatest extent possible.

      Interpretation: Regarding element (b), if the electronic health record system employed by the organization is not able to meet all client privacy preferences and/or all of the necessary confidentiality rules, the organization informs the service recipient of the system’s limitations and obtains consent for the exchange of electronic health information based on those restrictions. 

      Interpretation: Additional consideration should be given to information specific to mental health treatment, substance use treatment, genetic information, and HIV/AIDS status, as these information types are governed by additional confidentiality and disclosure rules and regulations.

      Interpretation: The HIPAA Security Rule and Meaningful Use criteria provide strong guidance to organizations regarding the capabilities of electronic health record (EHR) systems. Using a certified EHR is the best way to meet the Meaningful Use criteria. Organizations that are unable to acquire a certified EHR should still strive to meet Meaningful Use recommendations in their selection and use of EHR systems. 

      Note: The system must also comply with all relevant standards in RPM related to the management of information, technology, and case records.

      NA: The organization does not electronically manage health records or protected health information.

      Rating Indicators
      1
      The organization's practices reflect full implementation of the standard.
      2
      Practices are basically sound but there is room for improvement; e.g., 
      • Procedures for monitoring and maintaining legal compliance require greater clarity or specificity.
      3
      Practice requires significant improvement; e.g.,
      • Practices have not been reviewed for compliance in over one year; or
      • The organization is aware of compliance problems and is working to remediate deficiencies; or
      • The organization has been notified of compliance problems and is working with the relevant authority to remediate deficiencies.
      4
      Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
      • The organization is aware of compliance problems and is not working to remediate deficiencies; or
      • The organization has been notified of compliance problems but there is no evidence that efforts are being made to remediate deficiencies.
    Copyright © 2018 Council on Accreditation. All Rights Reserved.  Privacy Policy and Terms of Use