Building Access

  • Keys to the building will only be provided to employees who need them; if you have a key to the building, you will also be provided with an individual security code for the alarm system.
  • Do not share your keys or security code with anyone else.
  • During regular business hours, the front doors will be unlocked.  All other exterior doors will remain locked.  If you leave through a door other than the front door, you are responsible for making sure it is closed.
  • The server is stored in a locked case; the Practice Manager and IT Manager have access to the keys.
  • Records for deceased and inactive patients are stored in the file room, which is to be kept locked at all times.
  • Surgical files are locked each night; the Clinical Coordinator and OR Supervisor have access to the keys.


Workstations

  • Computer screens should be placed so they are only visible to authorized users; in exam rooms, patients may be permitted to see their own information.
  • Any confidential information must be cleared from the screen when not in use, either by closing the window, closing the session, or locking the computer.
  • Compulink will automatically log out an inactive user after 60 minutes, but it may keep the last record locked.  If you will not be using Compulink for an extended time, be sure to LOG OUT and CLOSE the program.
  • Session-lock screen savers will be set on all workstations; they will come on after 5 minutes in patient-accessible areas, and after 15 minutes in areas without patients (such as transcription).
  • All users must LOCK their computers when leaving a workstation unattended.  You can do this quickly by pressing the Windows key + L.
  • Users must LOG OUT of and CLOSE Compulink prior to leaving the building for any reason.


Mobile Devices and Portable Media

  • ePHI should not be saved on any mobile device (laptop, tablet, etc).  If data needs to be saved, it should be saved to the server.
  • CDs, USB drives, and other portable media containing ePHI will not be removed from the building
  • Mobile devices and portable media removed from the Eye Center (such as laptops being transported from Macon to Warner Robins) must not be left in unsecured locations.  If it is lost or stolen, it must be reported to the Security Officer within 1 business day.
  • PERSONAL DEVICES (phones, USB drives, etc) WILL NOT BE CONNECTED TO ANY EYE CENTER COMPUTER. There is a charging hub available in the kitchen if you need to charge your device.


Audits

  • Security audits may be run on any Eye Center computing resource at any time.
  • Compulink User Audits will be run regularly, and any unusual activity will be reported to the Practice Manager for additional investigation.
  • Full network audits will be performed annually by Prestige Computer Solutions.
  • The Eye Center will use The Guard system by Compliancy Group to monitor the Eye Center's security on a regular basis, including annual risk assessments.
  • The IT Manager will conduct spot-checks of workstations for security violations.
  • Additional assessments will be performed when new regulations come into effect.


Incident Reporting

  • All employees must report any security-related incidents to the Security Officer:
    • virus, worm or other code attacks
    • network or system intrusions
    • unauthorized access to ePHI
    • data loss due to theft, error, system failure, or disaster
    • loss of media that contains ePHI
    • unknown or unauthorized persons in secure areas
  • The Compliance Officers will investigate any incidents to determine if there has been a breach of PHI.

2019 Security Training