Standards for public agencies

2020 Edition

Risk Prevention and Management (PA-RPM) 5: Security of Information

Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.


The standards in this section address security of all types of paper and electronic information maintained by the organization, unless otherwise noted, including:
  1. case records and other information of persons served;
  2. administrative, financial, and risk management records and reports;
  3. personnel files and other human resource records; and
  4. performance and quality improvement data and reports.
2020 Edition




Proactive, comprehensive, and systematic risk prevention and management practices sustain the agency’s ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.
Full Implementation, Outstanding Performance
A rating of (1) indicates that the agency's practices fully meet the standard and reflect a high level of capacity.  
  • All elements or requirements outlined in the standard are evident in practice, with rare or no exceptions: exceptions do not impact service quality or agency performance. 
Substantial Implementation, Good Performance
A rating of (2) indicates that an agency's infrastructure and practices are basically sound but there is room for improvement.
  • The majority of the standards requirements have been met and the basic framework required by the standard has been implemented. 
  • Minor inconsistencies and not yet fully developed practices are noted; however, these do not significantly impact service quality or agency performance.

Partial Implementation, Concerning Performance
A rating of (3) indicates that the agency's observed infrastructure and/or practices require significant improvement.  

  • The agency has not implemented the basic framework of the standard but instead has in place only part of this framework.  
  • Omissions or exceptions to the practices outlined in the standard occur regularly, or practices are implemented in a cursory or haphazard manner.  
  • Service quality or agency functioning may be compromised.  
  • Capacity is at a basic level.
Unsatisfactory Implementation or Performance
A rating of (4) indicates that implementation of the standard is minimal or there is no evidence of implementation at all.  
  • The agency’s observed administration and management infrastructure and practices are weak or non-existent; or show signs of neglect, stagnation, or deterioration.
Self-Study EvidenceOn-Site EvidenceOn-Site Activities
County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
  • Policies and/or procedures for:
  1. Data security, including HIPAA compliance as applicable 
  2. Use of social media, electronic communications, and mobile devices
  3. Managing data interruptions and resuming operations 
State Administered Agency (Regional Office)
  • No Self-Study Evidence
County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
  • Agreements with third parties (e.g., information technology vendors, business associates, etc.), when applicable
  • Results of HIPAA compliance reviews 
State Administered Agency (Regional Office)
  • Agreements with third parties (e.g., information technology vendors, business associates, etc.), when applicable
  • Results of HIPAA compliance reviews 
  • Regional communications with staff regarding case record security policy and office-specific secure location expectations (memos, orientation schedule, etc.)
County/Municipality Administered Agency, State Administered Agency (Central Office), or other Public Entity
  • Interviews may include:
    1. Finance personnel
    2. PQI personnel 
    3. Information systems manager
    4. Direct service personnel
  • Observe case record room/files and information systems 
State Administered Agency (Regional Office)
  • Interviews may include:
    1. Regional Director
    2. Agency leadership
    3. Direct service personnel
  • Observe case record room/files and information systems 

PA-RPM 5.01

The agency protects confidential and other sensitive information from theft, unauthorized use or disclosure, damage, or destruction by:
  1. limiting access to authorized personnel on a need-to-know basis;
  2. using firewalls, encryption and/or secured networks, anti-virus and related software, and other appropriate safeguards;
  3. monitoring security measures on an ongoing basis;
  4. having the ability to remotely wipe or disable mobile devices, if applicable; and
  5. maintaining paper records in a secure location, when applicable.
Examples: In regards to element (a), the agency may limit access to authorized personnel by: 
  1. limiting access based on staff role within the agency;
  2. ensuring the electronic information systems require strong passwords/passcodes for access to confidential information, require passwords/passcodes to be regularly changed, lock the user out of the system for incorrect login attempts, and automatically time out after a period of inactivity prompting re-authentication; 
  3. disabling the equipment, passwords, and access of former employees; and 
  4. ensuring the information systems are capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
In regards to element (e), secure storage of paper records can include:
  1. locked file cabinets; 
  2. a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or 
  3. a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys. 
Other important considerations can include information taken off-site by staff.
Note: Please see the Facility Observation Checklist for additional guidance on this standard.

PA-RPM 5.02

Confidential information, when electronically transmitted, is protected by safeguards in compliance with applicable legal requirements. 

PA-RPM 5.03

The agency has policies and guidelines addressing the use and monitoring of:
  1. social media;
  2. electronic communications; and
  3. mobile devices, including staff-owned devices, if applicable.
Examples: “Social media and electronic communications” include a variety of applications and websites used to create and share content, for example: 
  1. the agency’s own website; 
  2. external websites;
  3. email;
  4. texting; 
  5. blogs;
  6. social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
  7. wikis; and
  8. discussion forums.
Risks associated with the use of social media and electronic communications may include:
  1. unauthorized or prohibited contact between staff and persons served;
  2. unauthorized or inappropriate use of agency logos or trademarks;
  3. personal comments or opinions that can be misconstrued as representing the views of the agency, or misrepresent the agency;
  4. inadvertent or deliberate disclosure of confidential or proprietary business information; and
  5. inadvertent or deliberate disclosure of confidential or protected information about persons served.

Examples: A social media policy could address:  
  1. the agency’s definition of “social media”;
  2. responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
  3. prohibited forms of communication; 
  4. the appropriate use of social media including confidentiality and privacy considerations; and/or
  5. consequences for failure to follow the policy and/or related guidelines.  

PA-RPM 5.04

The agency is prepared for planned and unplanned interruptions of data and limits the disruption to its operations and service delivery by:
  1. maintaining procedures for managing data interruptions and resuming operations;
  2. backing up electronic data regularly, with copies maintained off premises;
  3. regularly testing the agency’s back-up plan including data restoration processes; and
  4. developing procedures for alternative methods of communication with staff and stakeholders during periods of disruption.


This standard applies to any instance of prolonged data disruption, regardless of whether there is a corresponding emergency. 
Examples: A disaster recovery plan is a set of procedures put in place to protect and recover an agency’s IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the agency’s administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred. 

Factors that increase the effectiveness of a disaster recovery plan include: 
  1. training staff on response procedures; 
  2. practicing procedures/conducting downtime drills; 
  3. testing disaster recovery systems on an ongoing basis; and 
  4. monitoring plan implementation.

PA-RPM 5.05

The agency ensures its electronic information system for managing health records or protected health information:
  1. operates in compliance with all applicable regulations; and
  2. limits access to information in accordance with confidentiality rules and the person’s privacy preferences to the greatest extent possible.


Regarding element (b), if the electronic health record system employed by the agency is not able to meet all the person’s privacy preferences and/or all of the necessary confidentiality rules, the agency must inform the service recipient of the system’s limitations and obtain consent for the exchange of electronic health information based on those restrictions. 
NA The agency does not electronically manage health records or protected health information.
Examples: The HIPAA Security Rule and Meaningful Use criteria provide strong guidance to agencies regarding the capabilities of electronic health record (EHR) systems. Using a certified EHR is the best way to meet the Meaningful Use criteria. Agencies that are unable to acquire a certified EHR should still strive to meet Meaningful Use recommendations in their selection and use of EHR systems.