Document Management allows you to create Standard or Secure Document Types. The Document Security Level cannot be changed once it has been set.
Standard Documents
The Standard Document Type is not encrypted and should not be used for soliciting or storing any sensitive personally identifiable information (SPII).
Secure Documents
Files uploaded to Secure Document Types will be encrypted and only those specified on the activity or Facility will be able to manage them. The Secure Document Type allows for collecting both PII and SPII, with the exceptions of PHI and CHD, which may not be collected in Recreation Management documents. For this reason, do not request credit card or debit card information on any documents and do not use Recreation Management document management to collect patient information concerning the provision of healthcare if you are a HIPAA-covered entity or Business Associate of a HIPAA-covered entity.
AES 256: The effective standard for the Federal Government established by the NIST. It is a high performant and requires few resources.
Encryption Key Management: Using Azure Key Vault ensures that we can securely store the encryption keys, and limit access to the keys. Azure Key Value uses FIPS 140-2 Level 2 validated hardware security modules.
For the HCMS, there is 1 encryption key per HCMS app, and that encryption key is stored in a separate key vault, apart from the encrypted items.
We also encrypt portions of the encryption access logs including .
Data: Data and files uploaded will be encrypted in transit and at rest.
Examples of data that can be collected with Secure Document Types:
Telephone and fax numbers
Email addresses and physical addresses such as street addresses, zip codes, and county
Driver’s license number, passport number, or social security number
A name, including the full name of the individual, their maiden name or mother’s maiden name, and any alias they may use
Asset information, such as Mac address or , as well as other static identifiers that could consistently link a particular person
Information about an individual that is linked to their place of birth, date of birth, religion, activities, geographical indicators, or educational data
Dates directly linked to an individual, including date of birth and death
Bank account information
Medical record numbers
Health plan beneficiary numbers
Medical information such as diagnoses, treatment information, medical test results, and prescription information
Certificate or license numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial number
Biometric identifiers, including finger and voice prints
Guiding Principles to Mitigate Risk When Collecting PII or SPII
Only collect personal information if you need it and explain why any SPII being collected is required
Tell people what you’re going to do with their information
Apply appropriate safeguards to the information, such as limiting access and training employees on proper handling
Give people access to their personal information if they want it
Let people correct any wrong information
Get rid of information when you’re done with it
Learn more about PII, Sensitive PII, and PHI.