Laserfiche WebLink
5. The Receiver is not responsible for any damage caused by viruses originating from any <br />places not attributable to the Receiver. <br />6. It is strongly suggested that the Holder CDR staff have consistent/comparable security <br />practices in place for data that is downloaded from the servers back to the Holder CDR <br />staff or back to the Holder CDR staff s identified users. <br />G. Access to the CDR Data on the Servers <br />Receiver staff managing the server and CDR -CRS will only access the data submitted by <br />the Holder CDR staff in the event that there are unforeseen problems with the database <br />that need troubleshooting, correction or upgrading. Receiver staff will not amend, <br />addend, alter or erase any information contained in data files without prior written <br />authorization. <br />2. Identifiers will be removed from data downloads based on the permission levels for each <br />of the Holder CDR staff and Receiver. This removal of data elements is a software <br />program feature of the CDR -CRS. <br />3. NCRPCD staff will have access only to data submitted by the Holder CDR staff and its <br />authorized data entry persons that have case identifiers removed using the HIPAA <br />standards listed in Appendix B, unless in the event of unforeseen problems with the <br />database that require troubleshooting or during development of CDR -CRS releases or <br />upgrades. <br />4. The Holder CDR staff will identify the level of access to data of its authorized persons at <br />both the state and local level. Data will be accessible to the Holder CDR staff via the <br />Internet. <br />5. It is strongly suggested that the Holder has signed confidentiality statements from all of <br />its authorized users (see Appendix C as example statement). <br />6. The Holder will provide the DOH with the written names and contact information for <br />persons with permission to access data, and the DOH will forward this information to the <br />Receiver in the event that the Receiver is asked by the DOH to create logins. <br />7. Any breach of security or unintended disclosure known by the Receiver will be reported <br />immediately to the appropriate Receiver supervisors, Privacy Officer, Security Officer, <br />and Research Integrity Officer. The Holder will then be notified of the event and steps <br />will be taken by the Holder CDR staff to mitigate harm and cure the breach of security <br />within thirty days. As stated in Section A, the privacy protocols and policies in place at <br />the Receiver are in compliance with HIPAA and meet or exceed federal standards. <br />8. Any breach of security or unintended disclosure known by the Holder CDR staff will be <br />reported immediately to the Receiver, and the DOH. If the Holder wants staff access <br />removed, the DOH or the Receiver can remove staff from the database to restrict access <br />to data. Steps will be taken in coordination with the Holder CDR staff to mitigate harm. <br />H. Permitted Data Uses <br />Data housed at the Receiver are not subject to the Freedom of Information Act (FOIA) <br />and, as such, no data submitted by the Holder CDR staff will be released by the Receiver <br />in response to any FOIA request. The Holder CDR staff will address any FOIA request <br />made to the Holder CDR staff. <br />M <br />