creat

IT security policies are often derived from other, non-technology, organizational policies. Because electronic communication can be very problematic for a service organization that works with confidential medical information, it is a great idea for a hospital to establish a clear policy for the use and retention of email messages.

Requirements:

For this assignment, you will create two use and retention policies for the staff of a hospital: Part 1 

· Write a Use and Retention Policy for Paper Medical Records establishing rules for the distribution and retention of paper medical records containing confidential patient data within the hospital.

Part 2

· Write a Use and Retention Policy for Email Communication Containing Patient Data.

· Include a statement about how email messages should be retained.

· Remember that electronic patient health information in transit also should be encrypted.

· Include at least one method that could be used to audit the organization in order to determine if this policy is being adhered to.

Your policies should include the following criteria:

· Used policy and procedure format.

· 2 pages in length, double-spaced.

· Free of spelling, grammar, and punctuation errors.

This week we will be discussing security auditing and penetration testing. Security auditing is another important thing that you will need to know from a HIPAA perspective if you work at a healthcare organization.  When doing security auditing and penetration testing, it is important to know the various user roles, because if you do not understand what the user should be doing, you will not understand whether the results of the audit are appropriate or not. Often, in reviewing a security audit, a security officer may only suspect that something does not look right, and will have to confer with the user's supervisor to determine if the access was appropriate or not.

Your written assignment this week is to create two policies, a paper retention policy and an email use and retention policy.  Many employees don't realize that the emails that they delete may not be deleted on the server and may still be available for review even years in the future. In this particular assignment, working at a healthcare organization, another question is whether patient data should be sent via email.  Read the rubric carefully as it tells you what you need to submit.  Remember for your email policy, you can even say that patient information should NOT be sent by email.  

Here are the rubrics for this week's assignments.