Skip to content. | Skip to navigation

Personal tools

Home > Health System Policies > Information Technology > Use of Electronic Information and Systems

policy IT-002 : Use of Electronic Information and Systems

This policy creates comprehensive Health System-wide requirements for all users of Health System information and IT systems to employ reasonable and appropriate administrative, technical and physical safeguards to protect confidential information, including PHI, and other Health System IT resources.

File Attachment Downloads

view  |  PDF document icon IT-002UseofElectronicInformationandSystems08012017.pdf — PDF document, 203 KB (208833 bytes)


  1. effective date:

    August 1, 2017
  2. content:

    Applies To:            The Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office/UVA Health Foundation (“Health System Development Office”), and the University of Virginia Physicians Group (“UPG”) (hereinafter referred to collectively as “Entities, or individually as an “Entity”)                                                                   

    Reason for Policy:    The Health System’s electronic information and systems promote efficiency, allow for faster and better care for our patients by our medical professionals, offer superior training to our students and uncover more useful information for our researchers.  These powerful tools offer a two-edged sword, however, and must be used carefully. Users of these systems must protect confidential information, must guard our operations from internal and external threats, must protect and promote mission of the University and the Health System, and must make wise use of public resources. 

    Definition of Terms:  

    “Confidential Information” means any information in the custody of a Health System Entity regardless of its form (oral, paper, electronic) or storage media, that constitutes medical records or other Protected Health Information (PHI); and proprietary, research and related information, financial or other business-related information, including but not limited to documents concerning transactions and strategic planning, human resources records, payroll records, and legal advice.        

    “Electronic Information and Systems” or “Institutional Systems” shall refer to all data, including but not limited to Confidential Information, that is electronically stored, accessed, displayed or transmitted using the Health System systems, network, and all systems either directly connected to Health System networks, or accessed remotely. 

    For Purposes of this Policy, Confidential Information stored, transmitted or collected within Institutional Systems is categorized into two functional groups: 

    1. PHI;
    2. other Confidential Information such as financial or other business-related information, documents concerning transactions and strategic planning, human resources records, payroll records, and legal advice 

    “EMR” shall refer to the Health Systems’ clinical systems and patient billing systems.  This includes: 

    • Epic generated documentation (e.g. create/resulted in Epic)
    • Approved clinical forms
    • Transcribed documentation
    • Approved ancillary systems
    • Approved clinically relevant department/area documentation
    • Approved research/clinical trial documentation (e.g. consents, orders, results, clinical   notes)
    • Billing records 

    (see also Medical Center Policy No. 0218 “Definition, Characteristics, Authentication and Maintenance of the Medical Record and Designated Record Set”; TCH Policy 0218 “Definition, Characteristics, Authentication and Maintenance of the Medical Record and Designated Record Set”; {unnumbered} UPG Policy “Designated Record Set) 

    “Health System” shall, for purposes of this and all other Health System policies refer to the following entities: the Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health System Development Office, and UPG (hereinafter referred to collectively as “Entities” or each individually as an “Entity”). 

    “Health System Intranet” or “Intranet” shall refer to Health System electronic information and systems made accessible via computer networks and resources such as the Medical Center secure clinical network, guest networks and virtual private networks, Medical Center secure (*HS) email, mobile apps, and internal websites. 

    “Internet” shall refer to the global network of information systems accessible to the public.                                               

    “PHI” - "Protected Health Information," or “PHI,” consists of all individually identifiable health and billing/payment information about a patient regardless of its location or form. Health information is "individually identifiable" if it includes any one of the identifiers listed in Appendix A. Protected Health Information (“PHI”) may not be used or disclosed except when necessary to support treatment, payment or business operations, when authorized by the patient, or as otherwise permitted or required by law. Every Team Member employed within the Health System and providing services, or receiving training, in any capacity that requires access to Protected Health Information, including all persons involved in healthcare education and research, must comply with this requirement.                                                  

    “Team Members” All persons providing clinical, educational, research, administrative, or other services within or for the benefit of the Health System, regardless of Employer. 

    “Users” shall refer to Team Members, departments and organizational units within Entities of the Health System and others having approved access to the Health System’s Electronic Information and Systems.  

    Policy Statement:     The Health System shall use reasonable and appropriate administrative, technical and physical safeguards for the protection of Electronic Information and Systems. 

    All Users shall be required to comply with all relevant policies, standards and procedures intended to protect Electronic Information and Systems. Requests for exemptions shall only be considered if made in accordance with the Health System’s information security risk assessment and exception procedures. 

    1. All persons accessing the Health System Intranet shall comply with relevant policies, standards and procedures. Team members are responsible for compliance with Health System policies and, as applicable, the relevant procedures and guidelines of:
      • Medical Center
      • Transitional Care Hospital
      • Health Information & Technology
      • School of Medicine
      • School of Nursing
      • UPG
      • Claude Moore Health Sciences Library
      • University of Virginia
    2. Access to the EMR and to other Institutional Systems storing, transmitting or collecting PHI shall be granted only to those Users who have a legitimate need to know or to access such information for their work or training.  Users of information in the EMR obtained via access to institutional systems shall also follow the guidelines contained in Transitional Care Hospital or Medical Center Policy No. 0021 “Confidentiality of Patient Information”. 
    3. Users are expected to use MyChart® to electronically access, review and retrieve their own personal health records, or those of family members (including spouses and minor children) or others whose records they are authorized to access, review and retrieve; Users may also contact Health Information Services (HIS) to obtain copies of such records. Users shall not access, review or retrieve their own EMR in Epic or in any other Institutional System nor may they access, review or retrieve any other person’s medical record (i.e. that of a minor child, spouse, parent, etc.) in Epic or in any other Institutional System unless they are authorized to do so as part of their role-related duties. 
    4. Managers are responsible for taking appropriate disciplinary action against Team Members using the Internet or Intranet in a manner that violates these policies. The Health System reserves the right to apply software and other monitoring tools to identify, report, and restrict inappropriate activities.
    5. Users shall take reasonable measures to protect user identities, passwords and access codes. No User shall disclose access codes or passwords to any other person, nor shall anyone use another person’s access code or password to access any Institutional Systems. Any person who has reason to believe that his/her access code or password, or that of another person, has been compromised shall immediately report such occurrence to his/her supervisor and the Health System IT Information Security Office.             
    6. All persons gaining access to the Internet using the Health System network are responsible for the content of any information that they access or post. Limited personal use of the Internet is acceptable when it does not impede business functions, disclose PHI or consume excessive institutional resources.  
    7. Electronic Information and Systems used for the purposes of research that contain PHI shall be considered Patient Care Information and be subject to all relevant Health System policies, procedures and guidelines, unless de-identified (see Appendix A).
    8. Acceptable uses of the Internet and intranet include:   
      1. Communicating by electronic mail for purposes relevant to the mission of the Health System and in compliance with Transitional Care Hospital and Medical Center Policy No. 0193 “Electronic Mail (E-mail)”.
      2. Researching issues relevant to the mission of the Health System.
      3. Participation by Health System personnel in forums, blogs, news groups, and other information exchanges (often referred to as “social media”) with other healthcare or work-related professionals for the purpose of improving their professional knowledge or skills. Such participation is acceptable provided that any PHI is completely de-identified as defined in Appendix A unless the exchange is internal to the Transitional Care Hospital, the Medical Center or UPG and is part of a recognized training curriculum.
      4. Creation or use of Health System-sponsored forums, blogs, news groups and other information exchanges to provide general educational information to patients and allow patient/patient communications provided that the patient expressly requests to participate and is informed that privacy cannot be assured under the circumstances. Such information exchanges may not be used to provide medical advice to patients. Patients should be encouraged to instead use MyChart which provides a more secure and confidential means of electronic communication between patient and provider.
      5. Obtaining software, software updates, and software patches provided such software is legally obtained, verified, authenticated and installed in accordance with Health System and departmental policies.
      6. Cloud data storage using HIT- approved business Dropbox account and Sookasa security add-on for any sensitive storage. 
    9. Unacceptable uses of the Internet or Health System Intranet include:
      1. Commercial or business use not directly related to Health System business.
      2. Obtaining access to any network or computer system in a manner that violates the policies of the owner of the network or system.
      3. Engaging in illegal or unethical activities as defined by this policy, other applicable Health System policies[1] and applicable laws.
      4. Sharing of Health System software or data with anyone not specifically authorized to receive such software or data.
      5. Disclosing patient information via forums, blogs, news groups or other information exchanges including social networking sites such as Facebook, Twitter, etc. except as allowed in item 8.c. above.
      6. Using unapproved third-party cloud storage or cloud-based back-up providers, such as, but not limited to: personal Dropbox, ICloud, Google Docs, Amazon Simple Storage Service, Carbonite, Crash Plan or any other similar, consumer-based service provided by a vendor with whom the Medical Center has not established a contractual relationship.
      7. Accepting the terms of use for an IT product service on behalf of the Health System without the approval of the governing procurement process for that Entity. Examples of IT products and services include downloadable applications, Software As A Service (SAAS), mobile apps, PC desktop software, online web publishing tools, subscription services, etc.  Acquisition of such IT products and services typically includes a “Terms of Use” agreement that must be accepted before installation or setup can occur.  Because end Users may not enter into agreements on behalf of the University of Virginia, Terms of Use agreements must be reviewed by the appropriate procurement department, who are solely responsible for accepting terms, prior to acceptance. As relevant, procurement departments are: 
        1. Medical Center Procurement for Medical Center users
        2. University Procurement for School of Medicine, School of Nursing and Claude Moore Health Sciences Library users
        3. UPG Procurement for UPG users
      8.  Any use that violates Health System policies, Health Information & Technology Guidelines, the University of Virginia’s Responsible Computing Policy and applicable law.

     Procedures:                      

    A.      USER ACCESS TO ELECTRONIC INFORMATION AND SYSTEMS

    1. HIS, in collaboration with the Health Information Management Subcommittee (HIMS and Health Information & Technology (HIT) as may be necessary, shall grant access to Institutional Systems only to those Users who require such access for their work or training, and IT shall assign to each such person an access code or password. 
    2. If temporary access to Institutional Systems is necessary for a person not directly employed by an Entity, a requesting manager or supervisor shall obtain from such person/s a confidentiality and security agreement incorporating the relevant requirements of this policy; if the person requiring access to Institutional Systems is a contract vendor, or employed by a contract vendor, a requesting manager or supervisor shall also confirm with Procurement that any required Business Associate Agreement has been executed.  
    3. All users shall log off all systems after completing their work or leaving their work space.
    4. Automatic logoffs after a defined period of no activity will occur for institutional computer systems.  Timeout intervals and standards are documented on the Health Information & Technology website.
    5. Managers and supervisors shall use the Supervisor Review Application annually or as needed to review and verify the status of Users within their respective departments or areas to ensure that access to Institutional Systems continues to be appropriate to each User’s role or function. 
    6. Within forty eight (48) hours of a manager’s/supervisor’s receipt of notification of a User’s change of job duties, termination of employment, or termination of trainee status, the manager/supervisor shall notify the appropriate Human Resources office to initiate notification to the Health IT Information Security Office of the impending change (see also Medical Center Human Resources Policy No. 405 “Separation from Employment”; Health System Policy ACC-001 “Health System Identification”).   The appropriate Human Resources office shall, within three (3) business days of such notification, alert Health IT Information Security to take whatever timely action is required to ensure that such User’s access to Institutional Systems is consistent with his/her change in status. If, due to a Team Member’s termination, or for security reasons, immediate termination of access to Institutional Systems is required, managers/supervisors shall immediately (i.e., within 24 hours) notify the Health IT Information Security Office to take all necessary measures.  Health System managers shall follow additional requirements set forth in Medical Center Human Resources Policy No. 405 “Separation from Employment”

    B.      INFORMATION AND SYSTEMS THAT STORE, TRANSMIT OR COLLECT PHI

    1. PHI to be transferred over the Internet must be authenticated and encrypted using a method specifically approved by HIT limiting access to only authorized recipients and protecting the data from interception while in transmission. 
    2. Organizational areas or individuals seeking a transmission method other than those established by Health IT procedures must place a service request with Health IT and receive approval before using that alternative method.  Refer to the Health IT Information Security website for additional policies, procedures, and guidelines on the proper handling and transmission of Electronic Protected Health Information.  

    C.     REPORTING POLICY VIOLATIONS AND SECURITY COMPROMISES

    Managers and supervisors shall immediately report to the Health IT Information Security Office any violations of this policy, and other compromises of access security, including compromises of sign-on/passwords or access codes. The Health IT Information Security Office can be contacted through the Health IT website.  Health IT Information Security Office shall take corrective action as appropriate and shall notify the Compliance and Privacy Office of the violation and of any action taken.  The Compliance and Privacy Office, in conjunction with the appropriate supervisor and Human Resources, shall investigate the violation, and take any steps in response as required by applicable law and policy, which may include mitigation, notification and disciplinary action. 

  3. signature(s):

    Richard P. Shannon, MD, Executive Vice President, Health Affairs