Rate our help center and provide feedback HERE and don't forget to rate this article using one of the REACTIONS at the bottom of your screen.

Personal information is held strictly confidential at EZ Messenger. These are examples of Personally Identifiable Information(PII) that should be respected.

Social Security Numbers
Protected Health Information(PHI)
Date of Birth
Government Issued ID Number
Criminal History
Biometric data(fingerprints for example)
Computer Passwords
Debit/Credit Card Numbers
Bank Accounts(routing and account numbers)
Tax Information
​

Complete Sensitive Personal Information Policy

• Purpose

  The following training material has been extracted exactly from the Texas Office of the Attorney General’s Learning Management System and is required training material for all F.A.S.T. users as well as all EZ Messenger Service Vendors. If you have questions about this training and testing, please first speak with your manager. If you are still unsure of the Policy, please contact the Department of Quality Assurance.

• Responsibilities

  All EZM Employees are responsible for adhering to this Policy. Failure to adhere to this policy may result in disciplinary action. See the EZ Messenger’s Employee manual. This mandatory Policy will be tested every two years.

• Escalation Point of Contact

  If you have questions about this training and testing, please first speak with your manager. If you are still unsure, please contact the Director of your department or the Director of Quality Assurance.

• Policy

  Sensitive Personal Information (SPI) examples:

  1. Protected Health Information (PHI)

  2. Social Security Numbers

  3. Dates of Birth

  4. Government issued ID numbers

  5. Criminal history record information

  6. Biometric data

  7. Computer Passwords

  8. Credit/debit card numbers

  9. Tax information

  10. EZ Messenger Sensitive Personal Information Policy requires employees to:

  a. protect sensitive personal information the agency receives, collects, uses, and maintains

  b. maintain appropriate safeguards to prevent unauthorized use of, access to, or disclosure of such information; and

  c. strive to achieve the highest ethical standards in dealing with sensitive personal information

  d. Golden Rule: Consider how you would want the information treated if it were your sensitive personal information

  11. Collecting Sensitive Personal Information.

  a. SPI must be collected in a manner that is consistent with any applicable law, rule, or policy.

  b. SPI shall be collected only when required to accomplish a governmental or business purpose

  12. Disclosing Personal Identifiable Information

  a. SPI can be disclosed only as allowed by state and federal law.

  b. SPI shall be disclosed only to the minimum extent necessary to achieve legitimate work-related purposes.

  13. Using Personal Identifiable Information

  a. SPI shall only be used to fulfill official duties of the agency.

  b. SPI that is voluntarily submitted to, and not solicited by, the OAG can be used to fulfill the official duties of the agency.

  14. What is Protected Health Information (PHI)

  a. Protected Health Information or PHI is a type of sensitive personal information.

  b. By state and federal law, PHI is defined as information relating to a person's past, present, or future physical or mental condition, the provision of health care to that person, or the payment for the provision of health care

  c. PHI includes information that could be traced back to a person.

  15. Protected Health Information Examples

  a. Medicaid claims data

  b. List of Medicaid recipient names

  c. Medication profiles for Medicaid Patients

  d. Medical records of parties or witnesses involved in litigation

  e. Psychological evaluations

  16. PHI is subject to several state and federal laws that address protected health information (PHI) and sensitive personal information (SPI), including:

  a. Portable electronic devices (e.g., laptops, smartphones, cameras)

  b. HIPAA (Health Insurance Portability and Accountability Act)

  c. HITECH

  d. Texas Family Code

  e. Texas Health & Safety Code

  f. Texas Business & Commerce Code

  g. Texas Government Code

  17. Subject to several state and federal laws that address protected health information (PHI) and sensitive personal information (SPI) including:

  a. HIPAA’s privacy rule established national standards to protect PHI>

  b. General rule: PHI may not be used or disclosed except as the HIPAA Privacy Rule permits or requires

  c. Under HIPAA, an individual's right to health information privacy survives even after his/her death.

  d. HIPAA's Security Rule established security safeguards to protect PHI from unauthorized access or disclosure.

  e. HIPAA is an extremely complex set of federal regulations

  18. Health Information Technology for Economic Clinical Health Act (HITECH)

  a. HITECH is a federal law that amended HIPM to impose certain security requirements on additional entities, including the OAG. Examples of HITECH security requirements include the following safeguards

  b. HITECH imposes civil and criminal penalties for violations and requires timely notification to specific individuals and entities in cases of certain security breaches. Security Breaches include lost or stolen portable storage devices or portable electronic devices containing PHI, publishing PHI on a public or unsecured website, emailing PHI to an unauthorized recipient and discarding paper files containing PHI in an unsecured trash or recycling bin.

  19. Texas Medical Privacy Act (TMPA). In 2011, The Texas Legislature significantly amended the TMPA (Chapter 181 of the Health and Safety Code). Example of the changes are”

  a. Mandatory employee training on handling PHI is now required.

  b. Required to maintain a consumer complaint and PHI information website

  c. Authorized to pursue additional administrative and civil penalties for unauthorized use or disclosure of PHI.

  20. Accessing SPI/PHI. A person shall be granted access only when and to the extent that it is needed to perform his/her official duties. Electronic devices must not be left unattended without:

  a. Logging off

  b. Using a password-protected screen saver

  c. Using another approved security system

  21. Transmitting SPI/PHI. When transmitting SPI/PHI by mail, courier, or other similar method, take reasonable steps to guard against unauthorized disclosure of that information. SPI/PHI shall be emailed outside the OAG only if the email is encrypted.

  22. Safeguarding SPI/PHI. Computer systems, servers, or other similar devices containing SPI/PHI must be protected in accordance with EZ Messenger’s IT security standards. Paper files with SPI/PHI must be kept in a secure location that will protect the files from unauthorized intrusion or access. Passwords must always be protected. Only authorized personnel shall have access to SPI/PHI.

  23. Disposing of SPI/PHI. SPI/PHI shall be disposed of only in accordance with the records retention schedule and in a manner, that ensures that it cannot be read or deciphered by unauthorized individuals. SPI/PHI in paper form must be destroyed by shredding or placing in a locked shred bin. Electronic storage devices containing SPI/PHI shall not be reused unless all SPI/PHI has been removed or destroyed in accordance with OAG IT security policies and procedures.

  24. Reporting Security Incidents.

  a. Any potential data b reach or unauthorized collection, use, maintenance or disclosure of SPI/PHI, any theft.

  b. Loss or unauthorized destruction of material containing SPI/PHI, any conduct or activity that the employee reasonably believes could lead to the unauthorized use, maintenance, or disclosure of SPI/PHI.

  c. Employees shall not attempt to decide on their own whether a security incident has resulted in a breach.

  d. Report all security incidents to local, regional, or division management and to the Information Resources Manager at EZ Messenger.

  25. Management Responsibilities must:

  a. establish specific practices and procedures to safeguard SPI/PHI collected, used, or maintained by the division

  b. authorize employee access to SPI/PHI only if a business need exists

  c. ensure that all employees receive additional training on SPI/PHI if necessary

  d. appoint a Records Management Liaison; and

  e. ensure that any actual or potential security and privacy breaches are reported to the Information Resources Manager at EZ Messenger.

  26. Employee Responsibilities

  a. take this mandatory training;

  b. maintain the confidentiality of SPI/PHI;

  c. collect, use, and maintain SPI/PHI only when needed to complete assigned tasks and responsibilities;

  d. safeguard SPI/PHI when working at OAG facilities or off-site (e.g., courthouse, traveling); and

  take additional training if required by division management.

• Testing

  EZ Messenger has produced testing documents for this policy. All employees responsible for this Policy will be tested with continued testing scheduled annually.

• References and Resources

  EZ Messenger Employee Manual

  Security Memo and Policy

#compliance