report template orange 1

Document Sample
report template orange 1 Powered By Docstoc
					  Acceptable Use Policy – Mental
      Health Clinical Information
                System (PSOLIS)




Mental Health Division
November 2009
Acknowledgement:
This document would not have been possible without the contribution of the PSOLIS Audit
Steering Committee members;

Theresa Marshall       Consultant Clinical Governance Reviews, Office of the Chief Psychiatrist
                       Representative
Mark Pestell           Area Manager, South Metropolitan Area Health Service - Mental Health
                       Representative
Patrick Marwick        Clinical Director, CAMHS North Metropolitan Area Health Service - Mental
                       Health Representative

Robert Edey            Senior Program Officer, WA Country Health Service – Mental Health
                       Representative
David Ward             Manager Mental Health Information, Women and New Born and Child and
                       Adolescent Health Service Representative
Michael Kalynuik       Clinical Systems Coordinator, Bentley Health Service – Mental Health
                       Representative
Mary Blake             Systems Administrator, North Metropolitan Area Health Service – Mental
                       Health Representative
Sharon Mannion         A/Area Coordinator Mental Health Information System, South Metropolitan Area
                       Health Service – Mental Health Representative
Kirsty Edoo            Application Manager PSOLIS, Health Information Network Representative
Paul Jowett            Technical Lead PSOLIS, Health Information Network Representative
Donna Slattery         Application Specialist PSOLIS, Health Information Network Representative
Tom Pinder             Manager Mental Health Information System, Information Management and
                       Reporting Directorate Representative
Creswell Surrao        Senior Program Manager, Statewide Mental Health Governance and
                       Performance, Mental Health Division Representative

Version Control:

Purpose:           Stipulate acceptable use of the mental health clinical information system PSOLIS

Relevant To:       PSOLIS Users      Approval        Mental Health Operations Review
                                     Authority:      Committee/PSOLIS Custodians

Effective Date:    01 Dec 2009       Review          30 Nov 2014
                                     Date:

Responsible        PSOLIS            Enquiries       Creswell Surrao, Senior Program Manager
                   Management
Group:                               Contact:        Tel: 9222 4099
                   Group

Source             Acceptable Use Standard – Computing & Communication Facilities
Document:
                   Department of Health, Government of Western Australia
Table of Contents

Introduction

General Obligations
To Whom Does This Policy Apply

1. Purpose
     1.1      Policy Scope

2. Policy Statement
     2.1      Responsible Use
     2.2      General Security
     2.3      Ethical Use of the PSOLIS Application
     2.4      Record Keeping
     2.5      Compliance Monitoring and Controls
     2.6      Breaches

3. Background

4. Training

5. Related Legislative and other Documents

6. Appendices
     a.       Operational Directive No: OD 0131/08 Access to the Mental Health Clinical
              Information System (PSOLIS) by Public Sector Organisations
     b.       Operational Directive No: OD 0132/08 Access to the Mental Health Clinical
              Information System (PSOLIS) by Non-Public Sector Organisations
     c.       Operational Directive No: 9222 4200 Mandatory Data Collection and
              Recording Requirements for Specialised Public Mental Health Services
     d.       Operational Circular No: OP1917/05 Programs (Service Units) in the Mental
              Health Clinical Information System (PSOLIS)
     e.       Operational Circular No: OP1916/05 Ambulatory (Community) Mental
              Health Data Collection
     g.       Department of Health Western Australia – Data Management Policy
     h.       Department of Health Western Australia – Data Custodianship Policy and
              list of assigned Data Custodians and nominated delegates for the PSOLIS
              Application
     i.       Information Security Policy
     j.       Portable Computer and Storage Devices Policy
Introduction
This policy establishes the minimum obligations incumbent upon all staff both government
and non-government who have access to the mental health clinical information system –
PSOLIS and must be read in conjunction with the Department of Health Western Australia
‘Acceptable Use Standard – Computing & Communications Facilities’ and all other
policies and guidelines and Operational Directives pertaining to the PSOLIS application.

General Obligations
Staff must use the PSOLIS application in a responsible manner, taking into account the
consequence their actions may have.

Staff must not use the PSOLIS application;

•   for any unlawful, illegal, malicious or improper purpose;
•   to access without the relevant permissions any information held within the application;
•   to disclose private or confidential information contained within PSOLIS for any purpose
    other than those reasons identified within the FOI Act and in keeping with Department
    of Health policies and guidelines for information disclosure;
•   to enter information into PSOLIS that is offensive, defamatory, abusive or that violates
    any law or regulation;

To Whom Does This Policy Apply?
The Acceptable Use Policy applies to all Department of Health WA staff with access to the
mental health clinical information system PSOLIS and includes but is not limited to:

    •   all staff, contractors, casuals, students and volunteers;
    •   operators of any Department of Health WA Services
    •   any external organisation or their staff and, organisations offering outsourcing
        arrangements for the Department of Health WA


REMEMBER

              Staff will be required to provide an acknowledgment (by signing a



    ☒
              Declaration Form issued by their respective service that this policy has
              been provided to them and read and understood by them). The signed
              Declaration Form will be held on each individual staff member’s
              personal file.
1 Purpose

This policy sets out acceptable use of the mental health clinical information system
PSOLIS by all authorised users. The provision of this policy is intended as a minimum
requirement that must be complied with and is not meant to be exhaustive.

The Purpose of this policy is to:

   •   ensure users are aware of their role, responsibilities and obligations when using
       the PSOLIS application;
   •   prevent misuse of the application ;
   •   ensure users recognise the privilege of and confidential nature of patient
       information;
   •   inform users of Department of Health WA’s obligation to routinely monitor for
       compliance with this policy;
   •   identify the consequences of breaching this policy;
   •   ensure staff members are not exposed to unethical behaviour such as privacy
       violations as a consequence of user actions; and
   •   avoid conduct that violates any written law whether or not expressly mentioned in
       this policy (e.g. The Western Australian Criminal Code 440A, which addresses
       ‘unlawful use’ of computers);

This policy complies with and should be read in conjunction with the Public Sector Code of
Ethics and all other Professional Codes of Conduct associated with discipline specific
professions.

1.1 Policy Scope

Use of the mental health clinical information system PSOLIS includes all electronic
transmissions to or through the application.
Policy Statements
2.1 Responsible Use


 Mental Health Clinical Information System – PSOLIS must be used
 responsibly


Unauthorised or inappropriate use of the mental health clinical information system
PSOLIS could result in limitations on use, disciplinary actions, criminal penalties and/or
staff and other users being held liable for any inappropriate use.
Staff should act professionally in the workplace and refrain from using the mental health
clinical information system PSOLIS for activities that are inappropriate. Misuse or
inappropriate use of the PSOLIS application includes:

a) For any personal use. Personal Use is any activity that is conducted for purposes other
than accomplishing the official business of the DoHWA e.g. looking up information in
PSOLIS regarding a relative or friend or a person associated with a sentinel event for no
apparent clinical or administrative reason

b) Use of PSOLIS application as a staging ground or platform to gain unauthorised access
to other Department of Health computer systems or other illegal computer trespass for
example, hacking;

c) The intentional unauthorised internal or external transmission of any information subject
to the Privacy Act for example, patient information.

d) Using another person’s digital authentication of logon and password

e) Avoiding established security procedures, such activities include but are not limited to
accessing all PSOLIS information and PSOLIS-derived sub-sets of information in any form
by not complying with established access as per DoH WA policies and protocols.


2.2 General Security

 The PSOLIS application and any information contained therein must not
 be placed in jeopardy


Staff should be aware that their use / access to the PSOLIS application is made with the
understanding that such use may not be private.
Use of the PSOLIS application by staff may be disclosed to employees within the
Department of Health who have a need to know in the performance of their duties e.g.
Operational Data Custodians for the PSOLIS application who are the: Director, Mental
Health WACHS and delegate: Senior Program Manager, Mental Health WACHS

The PSOLIS application contains monitoring tools and inappropriate use may be reported
to authorised staff or the human resource Corporate Governance Directorate who
investigate inappropriate use. The privacy rights of any individual staff member with
access to the PSOLIS application will not be violated unless proven that such rights have
been misused / violated.

To assist with general security staff should;
   •   Not share their PSOLIS access logon and password;
   •   Change their password if anyone else may know it;
   •   Activate the screen saver or lock the workstation if they are away from their desk;
       and;
   •   Always log out when finished using the system;

REMEMBER

               Users are responsible for the use of their PSOLIS logon and



 ☒
               password. If you believe it has been compromised in any
               way, you must report it immediately to your supervisor /
               manager.




2.3 Ethical Use of the PSOLIS application

 The PSOLIS application will only be used in an ethical manner in
 accordance with the Department of Health Western Australia ‘Acceptable
 Use Standard – Computing & Communications Facilities’ and all other
 Information Technology policies, guidelines and Operational Directives
 pertaining to the PSOLIS application.


PSOLIS users should respect the privacy and confidentiality of client information and
observe the provisions of the Commonwealth Privacy Act 1988 and comply with the Public
Sector Code of Ethics when using the application.


2.4 Record Keeping

 Electronic records are part of the business records of the Department of
 Health WA


Any records created within the PSOLIS application should form part of the health record
of an individual consumer and should be accorded the same standards of professional
documentation and printed, signed and retained in the same way.

This is especially so as documents held electronically in the PSOLIS application are part
of the business records of the Department of Health WA and are essential to the
preservation of a proper audit trail.
2.5 Compliance Monitoring and Controls


    The Department of Health WA has a legal obligation to monitor access to
    the PSOLIS application.



Individual area mental health services will routinely monitor and investigate staff access
and usage of the PSOLIS application. This will occur to confirm compliance with the
requirements of this policy initiative and to investigate possible incidents of breaches and
unauthorised access.

A breach for the purposes of this policy may include but not be limited to the following;

     •   Access to a client record in PSOLIS that is outside a PSOLIS user’s usual
         permissions / primary access stream without a relevant clinical or administrative
         need.

Monitoring process;

     •   A random selection of staff will be routinely selected for audit
     •   Where a record outside of their stream has been accessed it will be crossed
         checked to establish there is a corresponding service event of clinical /
         administrative relevance
     •   The period of audit will be the preceding two weeks access to the PSOLIS
         application

PSOLIS Audit Reports;

PSOLIS Local Administrators and Report Administrators are able to produce three
different Audit reports for the purpose of monitoring access to client records at their
Mental Health Service(s).

Audit: User of Interest:
Report Parameters;
   • Date From
   • Date To
   • User
   • Report Format – PDF, Word or Excel.

Report results display the designated user’s access to all client and non-client records,
including both in-stream and out-of-stream access, for specified date range. An ‘Access
Without Role’ column indicates any out-of-stream access 1
Access to clients that are blocked to the user running the report will appear in the results
but shall be marked as non-client.

1
 When ‘Current Only Users’ selected Global Read Only Users are not listed unless they also have stream specific
access
Audit: Out of Stream Access:
Report Parameters;
   • Date From
   • Date To
   • Stream
   • Report Format – PDF, Word or Excel

Report results display All User access regardless of Stream permission to all client
records that have been accessed within the specified stream, regardless of having stream
roles or not at time of access3


Audit: Client of Interest:
Report Parameters;
   • Date From
   • Date To
   • Client
   • Report Format – PDF, Word or Excel.

Report results display user access to the designated client record. Includes all users who
have accessed designated client record within the specified stream who do not have a
role in any of the client streams at the time 2

Flowchart for accessing audit reports in PSOLIS;

                                        Access PSOLIS Administrative Reports


           Audit - Client of Interest           Audit - Out of Stream Access           Audit - User of Interest
               Report regarding                         Report regarding                   Report regarding
                user access to                         All Users access to            a designated user's access
          a desiganated client record      All client records for designated stream       to all client records


                                                  Review report information
                                               if apparant user access breach

                                                          identify;
                                                             user
                                                     date/time of breach
                                                      client cmhi/umrn

                                               follow protocol requirements
                                                contact user's MHS Manager
                                                     seeking clarification
                                               for user access to client record

                                                       Follow protocol
                                                   if breach has occurred




2
 Users that access client records via their Global Read Only privilege will still be indicated as an out-of stream-
access.
2.6 Breaches


 Disciplinary action may occur for any breaches associated with the
 PSOLIS application.


Breaches to the PSOLIS application will be regarded as a serious matter and disciplinary
or other action may be initiated at the discretion of the Operational Data Custodian for the
employing Area Mental Health Service.

The Operational Data Custodians or their delegates will not automatically assume an
allegation of inappropriate use / access has occurred until all the facts have been
assessed and a requirement for action is warranted.

Where a breach has been identified staff will be required to provide a reason for the
breach. Staff may then be informed that their access to the PSOLIS application will be
routinely monitored for a period to be determined by the Operational Data Custodian or
their delegate.

At its absolute discretion, Area Mental Health Services reserve the right to suspend or
terminate staff access to the mental health clinical information system PSOLIS if breaches
have occurred.

At the discretion of the Area Mental Health Service all instances of inappropriate access /
use of the mental health clinical information system PSOLIS especially with regard to
repeat offenders, will be reported to the Corporate Governance Directorate who may then
report the incident to the Corruption and Crime Commission.


REMEMBER
             The Acceptable Use Policy contains the following:

                 •   Responsible Use
                 •   General Security


 ☒
                 •   Ethical Use
                 •   Record Keeping
                 •   Compliance Monitoring and Controls
                 •   Breaches
3 Background

Staff who require access to the mental health clinical information system PSOLIS must do
so in accordance with relevant State and Commonwealth legislation governing Information
Technology.

When using the mental health information system PSOLIS, Area Mental Health Services
expect users to have a basic working knowledge of how the PSOLIS application works its
functions and its type of uses relevant to their level of access and permissions.

Area Mental Health Services will routinely assess users need for training and refresher
training in the PSOLIS application.

3.1 Out-of-Hours / Remote Access
Access to the PSOLIS application is routinely required outside of normal business hours
and whilst providing mental health care to consumers in rural and remote services.
Current practice involves phoning or visiting Hospital/Health Service sites to obtain
information from the PSOLIS application. No information other than anecdotal evidence
on the number of times this occurs is currently available.
Where Area Mental Health Services consider providing remote access to health
professionals to the PSOLIS application via a range of secure methods including but not
limited to access from the Internet\Health Remote; via SecureClient and Secure Portal,
the following should apply;
   •   Determine criteria and processes for approval
   •   Assess the appropriateness of individual applications for approval
   •   Request a regular audit report for the ‘Remote Access User Group’ for individual
       Area Mental Health Services
The confidentiality and security requirements remain similar to requirements for in-house /
health service site access to the PSOLIS application.


4 Training

Area Mental Health Services will ensure that all staff who are provided with access to the
mental health clinical information system PSOLIS will have the requisite training in the
application, its functions and uses relevant to their level of permissions. It is also an
expectation that regular refresher training in the PSOLIS application will be provided by
Area Mental Health Services.



5 Related Legislative and other Documents

Department of Health Western Australia Operational Directives / Circulars and
Policy initiatives;

   1. Operational Directive No: OD 0131/08 Access to the Mental Health Clinical
      Information System (PSOLIS) by Public Sector Organisations
   2. Operational Directive No: OD 0132/08 Access to the Mental Health Clinical
      Information System (PSOLIS) by Non-Public Sector Organisations
   3. Operational Directive No: 9222 4200 Mandatory Data Collection and Recording
      Requirements for Specialised Public Mental Health Services
   4. Operational Circular No: OP 1917/05 Programs (Service Units) in the Mental
      Health Clinical Information System (PSOLIS)
   5. Operational Circular No: OP 1916/05 Ambulatory (Community) Mental Health Data
      Collection
   6. Department of Health Western Australia – Data Management Policy
   7. Department of Health Western Australia – Data Custodianship Policy

Public Sector Standards / Legislation

   1. Western Australian Public Sector Code of Ethics
   2. Public Sector Management Act 1994 (WA)

State and Commonwealth Legislation

   1. Commonwealth of Australia Privacy Act 1988
   2. Western Australian State Records Act 2000
   3. Western Australian Mental Health Act 1996



Appendices: (Please click on the hyperlink for intranet – please print and provide copies
for Non-Public Sector Organisations with access to POSLIS)

       a.     Operational Directive No: OD 0131/08 Access to the Mental Health Clinical
              Information System (PSOLIS) by Public Sector Organisations
              http://intranet.health.wa.gov.au/circularsnew/pdfs/12401.pdf

       b.     Operational Directive No: OD 0132/08 Access to the Mental Health Clinical
              Information System (PSOLIS) by Non-Public Sector Organisations
              http://intranet.health.wa.gov.au/circularsnew/pdfs/12402.pdf

       c.     Operational Directive No: 9222 4200 Mandatory Data Collection and
              Recording Requirements for Specialised Public Mental Health Services
              http://intranet.health.wa.gov.au/circularsnew/pdfs/12509.pdf

       d.     Operational Circular No: OP1917/05 Programs (Service Units) in the Mental
              Health Clinical Information System (PSOLIS)
              http://intranet.health.wa.gov.au/circulars/pdfs/11905.pdf

       e.     Operational Circular No: OP1916/05 Ambulatory (Community) Mental
              Health Data Collection
       g.     Department of Health Western Australia – Data Management Policy
              http://intranet.health.wa.gov.au/corpdocs/Policy/data_management_policy.d
              oc

       h.     Department of Health Western Australia – Data Custodianship Policy and
              list of assigned Data Custodians and nominated delegates for the PSOLIS
              Application
i.   Information Security Policy
     http://intranet.health.wa.gov.au/corpdocs/Policy/information_security_policy.
     doc


j.   Portable Computer and Storage Devices Policy
     http://intranet.health.wa.gov.au/circularsnew/attachments/397.pdf

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:76
posted:5/5/2010
language:English
pages:14
Description: report template orange 1