• Transmitted by electronic media
• Maintained in electronic media

• Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk or digital memory device; or
• Transmission media used to exchange information already in the form of electronic storage media. Transmission media include, for example, the Internet, Intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

• Sanctions - Appropriate sanctions against workforce members who fail to comply with the security procedures of the organization.
• System Monitoring - Procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports.
• Workforce Supervision - Procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed.
• Appropriate Access - Procedures to determine that the access of a workforce member to EPHI is appropriate to support their role in business or clinical operations.
• Access Termination - Departmental procedures for terminating access to EPHI when employment ends or need for access no longer exists.
• Business Associate Obligations - Ensure safeguards are contractually mandated with any Business Associate or transaction clearinghouse that may have access to Health System EPHI.

Back to top

• Access - Procedures that grant access to EPHI by establishing, documenting, reviewing and modifying a user’s right of access to a workstation, software application/transaction or process.
• Awareness Training - Establish on-going security awareness through training or other means that provide workforce (including management) with updates to procedures and policies for guarding against, detecting and reporting malicious software.
• Incident Response - Procedures for responding to, documenting and mitigating where practicable suspected or known security incidents and their outcomes.
• Physical Access: Procedures to limit physical access to EPHI and the facility or facilities in which they are housed while ensuring that properly authorized access is allowed.
• Physical Identification Validation - Access must be physically safeguarded to prevent tampering and theft. Procedures must address control and validation of a person’s access to facilities based on their role or function, including visitors, employees, faculty, students and vendors.
• Media Movement - Procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility.
• Media Final Disposition - Procedures to address the final disposition of EPHI, and/or the hardware or electronic media on which it is stored. Procedures include process for removal of EPHI from electronic media before the media is made available for other use.

Back to top

• User Sign-on - Access procedures that assign unique names or numbers for identifying and tracking user identity. Electronic sessions terminate automatically after a predetermined time. EPHI must be encrypted and decrypted when necessary and appropriate for electronic transmission.
• Data Integrity - Procedures that protect EPHI from improper alteration or destruction, which include a mechanism to authenticate EPHI and corroborate that it has not been altered or destroyed in an unauthorized manner.
• Authentication - Procedures or mechanisms to verify that a person or entity seeking access to EPHI is the one claimed.
• Data Transmissions - Technical safeguards to insure EPHI transmitted over an electronic communications network is not accessed by unauthorized persons or groups, and that such information is not improperly modified without detection until disposed of.

Back to top

• Maintain the confidentiality of your password for all systems to which you have access.
• Maintain in strictest confidence the data to which you have access. Any confidential information must not be shared in any manner with others who are unauthorized to view such data.
• Use your computer access for the sole purpose of conducting official business of the Health System. Understand that the use of these systems and their data for personal purposes is prohibited.
• Understand that any abuse of access to the VCU systems and their data, any illegal use or copying of software, any misuse of the Health System’s equipment may result in disciplinary action, loss of access to the computer systems, and possible termination of employment.

• Misrepresentation (including forgery) of the identity of the sender or source of an electronic communication;
• Acquiring or attempting to acquire passwords of others;
• Using or attempting to use the computer accounts of others;
• Alteration of the content of a message originating from another person or computer with intent to deceive;
• The use of computer resources or electronic information without or beyond one's level of authorization;
• The interception or attempted interception of communications by parties not explicitly intended to receive them;
• Making Health System computing resources available to individuals not affiliated with the VCUHS without approval of an authorized official;
• Making available any materials the possession or distribution of which is illegal;
• Unauthorized access, possession, or distribution, by electronic or any other means, of electronic information or data that is confidential;
• Intentionally compromising the privacy or security of electronic information; and revealing passwords or otherwise permitting the use by others (by intent or negligence) of personal accounts for computer and network access;
• Altering or attempting to alter files or systems without authorization;
• Unauthorized scanning of networks for security vulnerabilities;
• Attempting to alter any Health System computing or networking components (including, but not limited to, bridges, routers, and hubs) without authorization or beyond one's level of authorization;
• Unauthorized wiring, including attempts to create an unauthorized network connection, or any unauthorized extension or re-transmission of any network services;
• Intentionally damaging or destroying the integrity of electronic information;
• Intentionally disrupting the use of electronic networks or information systems;
• Intentionally wasting human or electronic resources; and
• Negligence leading to the damage of VCUHS electronic information, computing/networking equipment and resources.