Policy Manual


Network Information Services      

Type: Procedure                 Category: Information Technology                 Level: Community Care 

Parties: Community Care employees and contractees

Printer Friendly Version: http://apps.comcareme.org/policymanual/default.aspx?code=6.MEP.8&nonav=yes

Supporting References: HIPAA Security Rule 164.308.a.5.ii.d

Parent Effective Date Approval Level Revision Dates Last Reviewed
N/A  1-1-2004  Management Team    N/A
Related Document Code Related Document Name Type
6.ME.3 Electronic Media Policy

Procedure:  .

The Administrative Services Manager is responsible for establishing, maintaining and implementation.


Definitions: PC - any workstation terminal system, laptop, or portable computer.


Profile - user account that identifies the specific person.

DAC - Discretionary Access Control are privileges and restrictions of your user account as determined by your supervisor and management.


1.        Password Configuration

1.1.      All passwords must have at least 8 to 14 characters, containing one (1) numeric and one (1) special character such as a *.&#. Users must not construct passwords that are identical or similar to passwords that they have previously employed.

1.2.      The display and printing of passwords must be suppressed, so that unauthorized parties will not be able to observe or subsequently recover them.

1.3.      Users must maintain exclusive control of their personal passwords; they must not share them with others. Passwords must not be stored in any form, i.e. batch files, logon scripts, software macros, function keys, data files, or hard copy.

1.4.      PC access must be achieved via passwords that are unique to each individual user. Access control to files, databases, computers, and other system resources via shared passwords is prohibited.

1.5.      All users will be automatically forced to change their passwords at least once every ninety (90) days. All passwords must be promptly changed if they are suspected of being disclosed, or known disclosure has occurred to unauthorized parties.

1.6.      Regardless of the circumstance, passwords must never be shared or revealed to anyone else unless requested by a Systems Administrator for problem resolution. Once the problem has been fixed, users must change their password to ensure system integrity. Users are forbidden from performing any activity with ID's belonging to other users.

2.        DAC Configuration

2.1.      Managed by your team with settings implemented by a System Administrator who defines certain privileges and restrictions related to your profile determined by your supervisor or management.

2.2.      Access is granted or restricted to specific drives, file servers, databases, and unique applications related to your profile, which is established upon initial request and updated as needed.

3.        Data Storage, Backup and Destruction

3.1.      Agency information is backed up daily and stored at a secured off site location. A recommended precaution would be to back up your critical data onto a diskette and store on-site in a secure location.

3.2.      Hard drive destruction is authorized by two methods: reformatting, or physical destruction of the media.

4.        File Limitations

4.1.      All files accessed from disk, CD-ROM, or zip disk must be virus scanned. All data files stored on Community Care systems must be work related.

4.2.      E-mails larger than five-megabyte should not be sent.

5.        User Responsibilities

5.1.      If you are leaving your workstation, you must lock your PC by pressing, "ctl-alt-delete" and selecting the lock feature.

5.2.      All PCs are configured with a password protected screen saver.

5.3.      Information security events, i.e. viruses, corrupt data, malicious emails, chain letters, inappropriate pictures, executable files, movie clips, and Internet abuse, should be immediately reported to your supervisor. Do not open or delete any e-mail of this type, contact Community Care IT, and report this event.