PREVENTION

Actions taken to minimize and/or eliminate social, psychological, or other conditions. Prevention can occur at the individual, group, community, and societal levels and enhances opportunities to achieve positive fulfillment.		  
close
  MANAGEMENT

See ADMINISTRATION		  
close
  PRACTICE

Established actions or ways of proceeding in the regular performance of organizational duties. Policies and procedures often guide practice.		  
close
  LIABILITY

An obligation, responsibility, or debt. 		 
close
  CASE RECORD

A written compilation that describes the client and the services delivered. Records can be in hard copy and/or electronic format. The case record can be used as a source of information for quality improvement or other evaluation activities, for research purposes, or to demonstrate accountability to funding bodies. 		 
close
  PERSONNEL

The body of employees and/or volunteers that carries out the organization's tasks under the organization's administration and/or supervision. This definition does not include foster parents who are specifically referenced in relevant standards		  
close
  CASE

A general term used to designate clients (including individuals, families, and groups) served by an organization for purposes of monitoring the provision of services. A foster care case is generally based on the placement of an individual child, although casework for the child may include services to the child's family. A child protective services case is based on an entire family household if a family assessment model is used; otherwise a case is defined as a child.		  
close
  CONFIDENTIALITY

An ethical and practice principle that requires the protection of information shared within a professional-client relationship. An organization that upholds confidentiality prohibits personnel from disclosing information about persons served without their written consent.		  
close
  CASE CLOSING

A voluntary or involuntary process which occurs when an organization no longer assumes responsibility for providing services to a particular individual, group, or family. Also known as "termination" or "discharge."		  
close
  POLICY

A written statement of principles, values, or intent that provides a basis for consistent decision making and guides the actions of staff, management, and board of trustees. A policy is intentionally broad in its language and application. The following is an example of an anti-discrimination policy:

"[Organization Name] shall not discriminate on the basis of race, color, religion (creed), gender, age, national origin (ancestry), disability, marital status, sexual orientation, or military status, in any of its activities or operations. These activities include, but are not limited to, hiring and firing of staff, selection of volunteers, selection of vendors, and provision of services."

In contrast, a procedure is a detailed, step-by-step description of a process. It tells the reader how to do something. Generally, policies are implemented through procedures. For example, the above anti-discrimination policy would require a detailed grievance procedure in order to operationalize it within an organization.

The governing body has the fiduciary responsibility for setting organizational policy. Therefore, policies must be approved and periodically reviewed by the organization's governing body. However, the governing body typically delegates (via policy) the responsibility for policy development to management. In owner-operated for-profit companies, the owner can act as the company's governing body, depending on the company's corporate structure.

In a public agency the responsibility for setting and reviewing policies may belong to the agency's management team, elected officials, another governmental agency, or as is often the case, a combination of the above.

  
close
COA
USER:  PASS:  LOG IN         
SEARCH:    GO
 
Print
 
Risk Prevention and Management
  
Private Org Public Agency  

PA-RPM 6: Security of Information*

 
Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.
related PA-CR 2,  PA-HR 7,  PA-RPM 2.01,  PA-RPM 7,  PA-RPM 8.01,  PA-TS 2.03
Interpretation: The standards in this section address security of all types of records, including case records, administrative, financial, health, and personnel records, unless otherwise noted. See also PA-RPM 7 Case Records and PA-RPM 8 Access to Case Records

PA-RPM 6.01

 

The agency protects confidential and other sensitive information from theft, unauthorized use, damage, or destruction by:

  1. limiting access to authorized personnel on a need-to-know basis;
  2. backing up electronic data, with copies maintained off premises;
  3. using firewalls, anti-virus and related software, and other appropriate safeguards; and
  4. maintaining paper records in a secure location.

Interpretation: The agency needs to consider both safety and security when deciding where and how to store its records. Other important considerations include information taken off-site by staff and online access to the agency's computer system. The agency should develop a system that best fits its needs and circumstances.

Secure storage of paper records may include: locked file cabinets; a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys. Agencies may also consider using fireproof cabinets; metal file cabinets; a sprinkler system; or not storing records in basements in areas that are prone to flooding.

Note: Please see Checklist: Facility Observation in the Tools Index for additional assistance with this standard.

PA-RPM 6.02

 
Case records are maintained and disposed of in a manner that protects privacy and confidentiality, and the agency: a. maintains case records for at least seven years after case closing unless otherwise mandated by law; and b. properly disposes of records in the event of the agency’s dissolution.
Interpretation: Adoption records or a summary of all salient information included therein are maintained permanently, and records of children or youth are maintained until the age of majority or a few years beyond, depending on advice of counsel.

PA-RPM 6.03

 
Confidential information, when electronically transmitted, is protected by safeguards in compliance with applicable legal requirements.
Update: Added Interpretation - 03/01/11
Added Interpretation
Interpretation: Staff who deliver services using electronic media, including telephone and computer, discuss associated risks with service recipients.

PA-RPM 6.04

 
The agency posts a privacy policy on all publicly accessible websites.
NA The agency does not maintain a website.

PA-RPM 6.05

 
The agency has policies and procedures that address the risks, benefits, and ongoing processes required to manage web-based technologies and electronic communications.
Update: Added Standard - 03/01/11
Added Standard

Interpretation: “Web-based technologies and electronic communications” include, but are not limited to: the agency’s own website, email, external websites, blogs, social media and networking sites, wikis, discussion forums, and photo and video sharing sites where the agency’s staff may interact with each other or with service recipients.

Risks associated with the use of web-based technologies and electronic communications may include:

  1. unauthorized or prohibited contact between staff and service recipients;
  2. unauthorized or inappropriate use of agency logos or trademarks;
  3. personal comments or opinions that can be misconstrued as representing the views of the agency, or that present the agency in a negative light;
  4. inadvertent or deliberate disclosure of confidential or proprietary business information; and
  5. inadvertent or deliberate disclosure of confidential or protected information about service recipients.
QUICK JUMP TO
Top
 
PURPOSE: Comprehensive, systematic, and effective risk prevention and management practices reduce the agency's risk, loss, and liability exposure.
 
RELATED FILES