Information Security Policy
Last Updated: July 21, 2022
A. It is the policy of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS that information, as defined hereinafter, in all its forms–written, spoken, recorded electronically or printed–will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
B. All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS.
C. At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.
A. The scope of information security includes the protection of the confidentiality, integrity and availability of information.
B. The framework for managing information security in this policy applies to all CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS entities and workers, and other Involved Persons and all Involved Systems throughout CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS as defined below in INFORMATION SECURITY DEFINITIONS.
C. This policy and all standards apply to all protected health information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION.
III. RISK MANAGEMENT
A. A thorough analysis of all CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic– that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection.
From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.
B. Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.
IV. INFORMATION SECURITY DEFINITIONS
Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA.
Availability: Data or information is accessible and usable upon demand by an authorized person.
Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.
HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.
Integrity: Data or information has not been altered or destroyed in an unauthorized manner.
Involved Persons: Every worker at CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS — no matter what their status. This includes physicians, residents, students, employees, contractors, consultants, temporaries, volunteers, interns, etc.
Involved Systems: All computer equipment and network systems that are operated within the CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.
Protected Health Information (PHI): PHI is health information, including demographic information, created or received by the CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS entities which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.
Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.
V. INFORMATION SECURITY RESPONSIBILITIES
A. Information Security Officer: The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS. Specific responsibilities include:
1. Ensuring security policies, procedures, and standards are in place and adhered to by entity.
2. Providing basic security support for all systems and users.
3. Advising owners in the identification and classification of computer resources. See Section VI Information Classification.
4. Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.
5. Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.
6. Providing on-going employee security education.
7. Performing security audits.
B. Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS Information Owner Delegation Form. The owner of information has the responsibility for:
1. Knowing the information for which she/he is responsible.
2. Determining a data retention period for the information, relying on advice from the Legal Department.
3. Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit.
4. Authorizing access and assigning custodianship.
5. Specifying controls and communicating the control requirements to the custodian and users of the information.
6. Reporting promptly to the ISO the loss or misuse of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information.
7. Initiating corrective actions when problems are identified.
8. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
9. Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.
C. Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include:
1. Providing and/or recommending physical safeguards.
2. Providing and/or recommending procedural safeguards.
3. Administering access to information.
4. Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
5. Evaluating the cost effectiveness of controls.
6. Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO.
7. Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
8. Reporting promptly to the ISO the loss or misuse of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information.
9. Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
D. User Management: CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS management who supervise users as defined below. User management is responsible for overseeing their employees’ use of information, including:
1. Reviewing and approving all requests for their employees access authorizations.
2. Initiating security change requests to keep employees’ security record current with their positions and job functions.
3. Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
4. Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
5. Providing employees with the opportunity for training needed to properly use the computer systems.
6. Reporting promptly to the ISO the loss or misuse of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information.
7. Initiating corrective actions when problems are identified.
8. Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.
E. User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:
1. Access information only in support of their authorized job responsibilities.
2. Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.
3. Refer all disclosures of PHI (1) outside of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS and (2) within CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS , other than for treatment, payment, or health care operations, to the applicable entity’s Medical/Health Information Management Department. In certain circumstances, the Medical/Health Information Management Department policies may specifically delegate the disclosure process to other departments.
4. Keep personal authentication devices (e.g. passwords, SecureCards, PINs, etc.) confidential.
5. Report promptly to the ISO the loss or misuse of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information.
6. Initiate corrective actions when problems are identified.
VI. INFORMATION CLASSIFICATION
Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information:
A. Protected Health Information (PHI)
1. PHI is information, whether oral or recorded in any form or medium, that:
a. is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or health clearinghouse; and
b. relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; and
c. includes demographic data, that permits identification of the individual or could reasonably be used to identify the individual.
2. Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious damage to CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS and its patients or research interests.
B. Confidential Information
1. Confidential Information is very important and highly sensitive material that is not classified as PHI. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access.
Examples of Confidential Information may include: personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords and information file encryption keys.
2. Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS , its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.
C. Internal Information
1. Internal Information is intended for unrestricted use within CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS , and in some cases within affiliated organizations such as CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS business partners. This type of information is already widely-distributed within CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS , or it could be so distributed within the organization without advance permission from the information owner.
Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages.
2. Any information not explicitly classified as PHI, Confidential or Public will, by default, be classified as Internal Information.
3. Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.
D. Public Information
1. Public Information has been specifically approved for public release by a designated authority within each entity of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS. Examples of Public Information may include marketing brochures and material posted to CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS entity internet web pages.
2. This information may be disclosed outside of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS.
VII. COMPUTER AND INFORMATION CONTROL
All involved systems and information are assets of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.
A. Ownership of Software: All computer software developed by CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS employees or contract personnel on behalf of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS or licensed for CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS use is the property of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS and must not be copied for use at home or any other location, unless otherwise specified by the license agreement.
B. Installed Software: All software packages that reside on computers and networks within CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS must comply with applicable licensing agreements and restrictions and must comply with CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS acquisition of software policies.
C. Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
1. Remote Access: Access into CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS network from outside will be granted using CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PHI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS network.
2. Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.
The following physical controls must be in place:
a. Mainframe computer systems must be installed in an access-controlled area. The area in and around the computer facility must afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
b. File servers containing PHI, Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
c. Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will:
1. Position workstations to minimize unauthorized viewing of protected health information.
2. Grant workstation access only to those who need it in order to perform their job function.
3. Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to protected health information.
4. Employ physical safeguards as determined by risk analysis, such as locating workstations in controlled access areas or installing covers or enclosures to preclude passerby access to PHI.
5. Use automatic screen savers with passwords to protect unattended machines.
Compliance [§ 164.308(a)(1)(ii)(C)]
A. The Information Security Policy applies to all users of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information including: employees, medical staff, students, volunteers, and outside affiliates. Failure to comply with Information Security Policies and Standards by employees, medical staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute grounds for corrective action in accordance with CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS procedures. Further, penalties associated with state and federal laws may apply.
B. Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:
1. Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement.
2. Unauthorized disclosure of a sign-on code (user id) or password.
3. Attempting to obtain a sign-on code or password that belongs to another person.
4. Using or attempting to use another person’s sign-on code or password.
5. Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review.
6. Installing or using unlicensed software on CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS computers.
7. The intentional unauthorized destruction of CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS information.
8. Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.
Password Control Standards
The CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS Information Security Policy requires the use of strictly controlled passwords for accessing Protected Health Information (PHI), Confidential Information (CI) and Internal Information (II). (See CAROLINA CONNECTIONS, INC DBA UNIQUE BACKGROUND SOLUTIONS Information Security Policy for definition of these protected classes of information.)
Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls.
Ready To Get Started?
We offer employment screening options for every size business.
Subscribe For News & Best Practices.