Skip to content

Acceptable Use Policy

The repercussions of misuse of systems and data can be severe. Potential damage includes, but is not limited to, malware infection (e.g. computer viruses), legal and financial penalties for data breaches, along with lost productivity and impact on patients and the business resulting from disruptions.

FrontRunnerHC’s Acceptable Use Policy (AUP) establishes the conditions, guidelines, and terms of accessing and using its information systems and data by its workforce members. This policy is designed to protect FrontRunnerHC, its patients and workforce members along with other partners to ensure the information and information systems are used in an approved, ethical and lawful manner while maintaining integrity and security.

All FrontRunnerHC workforce members (which include full and part-time employees, vendors, contractors, physicians, consultants, affiliates, associates, students, volunteers, and staff from third party entities) who provide services to FrontRunnerHC are required to adhere to this policy. All workforce members must acknowledge their understanding of this policy by reading, signing, and returning the signed acknowledgement page to Human Resources (HR). Workforce members are not permitted to access FrontRunnerHC information systems and data until they have signed, and HR has received this acknowledgement.

Each workforce member with authorized access to the information systems, data, assets and/or facilities, is responsible for their appropriate use, and by signing the Acceptable Use acknowledgement page agrees to comply with all applicable policies and regulations as well as with the acceptable use policies of any affiliated networks and systems.

In the absence of a specific policy or policy statement, workforce members are expected to utilize good judgment. If there is any uncertainty in the intentions, requirements, or expectations of this or other policies or procedures, workforce members must consult their supervisor or department head for clarification or supplementary guidance.

While workforce members are responsible for the security of the information systems and data, they use in their job roles and functions, FrontRunnerHC is responsible for providing and maintaining appropriate security awareness training programs and campaigns to inform and educate all workforce members on security policies and practices and workforce member obligations.

FrontRunnerHC reserves the right to monitor, audit, and record network and system activity, and potential content. This potential content includes email traffic, internet traffic, network traffic, and any other communications made using FrontRunnerHC’s enterprise network environment and supported devices.

It is the responsibility of all workforce members to ensure the physical security of all FrontRunnerHC assets (IT and non-IT), data (electronic and hard copy), offices and facilities.

Only authorized workforce members and visitors are allowed access to FrontRunnerHC offices and facilities. If workforce members encounter an unrecognized person in a restricted location, they should challenge that person to determine if they are authorized to be there. If the challenged person does not respond appropriately, they should be immediately reported to supervisory staff.

Workforce members should not leave workstations open and unattended. Workstations must be secured either by; locking workstation, activating password-protected screen saver, or logging out prior to leaving to prevent unauthorized access.

FrontRunnerHC has implemented security policies to automatically screen lock workstations if no activity is detected for five (5) minutes. Workforce members are not allowed to take any action which would disable or override this setting.

Workforce members are expected to clear their desks at the end of each workday. The purpose of this is to ensure sensitive papers, documents and data are not inadvertently exposed to unauthorized persons outside of working hours. All confidential and sensitive documents and papers should be secured at the end of the workday. Ensure that any passwords used to access FrontRunnerHC systems and data are not written down and stored in an unsecured location.

All FrontRunnerHC laptops in the possession of workforce members must be protected from physical threats such as loss due to theft or vandalism. Workforce members must ensure the laptop is stored in a secure location (e.g. locked drawer or file cabinet) when not in use.

To prevent any unauthorized access or tampering of the laptop and any data stored, FrontRunnerHC laptops are provided with Laptop Security Software. Workforce members are required to ensure this security software is functioning and use it to secure the laptop when not in the office. Workforce members are not allowed to take any action that would disable or override this security software.

All software programs and documentation generated or provided by workforce members for the benefit of FrontRunnerHC are the property of the company unless covered by a signed contractual agreement. This policy does not apply to any software purchased by workforce members at their own expense.

1.7. Reporting System and Software Malfunctions

Section titled “1.7. Reporting System and Software Malfunctions”

Workforce members are responsible for informing the appropriate FrontRunnerHC support personnel, using the appropriate reporting methods (e.g. call or email the Help Desk), when their system or software is not functioning properly. This malfunction – whether accidental or deliberate – may pose a security risk to patient and corporate information.

If the workforce member or their supervisory or department head suspect the “malfunction” is being caused by a computer virus or malware attack, then the FrontRunnerHC Incident Procedures should be followed. The following steps should be taken immediately:

  • Stop using the computer.
  • Do not carry out any program commands, including commands to save data.
  • Do not close any open computer windows or close/exit any running programs.
  • Do not turn off the computer or peripheral devices.
  • If possible, physically disconnect the computer from networks (e.g. disconnect network cable) to which it is attached.
  • Inform the appropriate technical support personnel and the Information Security Officer (ISO) as soon as possible. Write down any unusual behavior of the computer (screen messages, unexpected disk access, unusual responses to commands) and the time when they were first noticed.
  • Write down any changes in hardware, software, or software use that preceded the malfunction.
  • Do not attempt to remove a suspected virus!

The ISO will monitor the resolution of the malfunction or incident and note the result of the action with recommendations on action steps to avert future similar occurrences.

FrontRunnerHC workforce members are responsible for following the policies, procedures, and guidelines, including, but not limited to the Acceptable Use Policy.

Policy violations (real, suspected or attempted), must be reported immediately to either their immediate supervisor, or to their department head, or to the Information Security Officer. Any information relating to a flaw in or bypass of security mechanisms, policies or procedures must be reported immediately.

Any security violations or security weaknesses identified because of Security Awareness training, or user knowledge, must also be reported immediately. For all security violations, contact the ISO.

Reports of security incidents are escalated as quickly as possible. Each incident is analyzed to determine if changes in the existing security structure and systems are necessary. All reported incidents are logged with the remedial action taken to resolve included. The ISO is responsible for providing any training on any procedural changes required because of the incident.

Security breaches are promptly investigated with the appropriate industry and government regulatory agencies and departments contacted as required under mandated laws, regulations, and statutes. If any criminal action is suspected, the appropriate law enforcement and investigative authorities will be contacted to engage them in assisting with the investigation.

Workforce members are prohibited from engaging in the following activities that can have an impact on the confidentiality, integrity, and availability of FrontRunnerHC’s information systems, resources and data:

  • Crashing an information system – Deliberately crashing an information system is strictly prohibited. Workforce members may not realize that they caused a system crash, but if it is shown that the crash occurred because of user action, a repetition of the action by the workforce member may be viewed as a deliberate act.
  • Attempting to break into an information resource or to bypass a security feature – This includes running password-cracking programs or sniffer programs and attempting to circumvent file or other resource permissions.
  • Disturbing IT systems or interfering with legitimate access to IT assets is strictly prohibited – This includes using any program/script/command or sending messages of any kind with the intent to interfere with or disable a user session via any means.
  • Introducing, or attempting to introduce, computer viruses, Trojan horses, peer-to-peer (“P2P”) or other malicious code into an information systemEXCEPTIONS: Authorized information system support personnel, or others authorized by the Information Security Officer, may test the resiliency of a system. Such personnel may test for susceptibility to hardware or software failure, security against hacker attacks, and system infection.
  • Browsing – The willful, unauthorized access or inspection of confidential or sensitive information to which workforce members have not been approved on a “need-to-know” basis is prohibited. FrontRunnerHC has access to patient level health information which is protected by HIPAA regulations which stipulate a “need-to-know” before approval is granted to view the information. The purposeful attempt to look at or access information to which the workforce member has not been granted access by the appropriate approval procedure is strictly prohibited.
  • Software Use – Violating or attempting to violate the terms of use or license agreement of any software product used by FrontRunnerHC is strictly prohibited.
  • System Use – Engaging in any activity for any purpose that is illegal or contrary to the policies, procedures, or business interests of FrontRunnerHC is strictly prohibited. This includes executing any form of network monitoring to intercept data without explicit authorizations as part of the workforce member’s job/role/function. Also includes engaging in any activity that may cause security breaches or disrupt network communications.

1.10. Electronic Communication, E-Mail, Internet Usage

Section titled “1.10. Electronic Communication, E-Mail, Internet Usage”

As a productivity enhancement tool, FrontRunnerHC encourages the business use of electronic communications. However, all electronic communication systems and all messages generated on or handled by corporate-owned equipment are considered the property of FrontRunnerHC, and not the property of workforce members. This applies to all FrontRunner workforce members, and covers all electronic communications including, but not limited to, telephones, e-mail, voice mail, instant messaging, Internet, fax, personal computers, and servers.

IT assets and resources provided by FrontRunnerHC, such as; individual computer workstations or laptops, computer systems, networks, e-mail, and Internet software and services are intended for business purposes. However, incidental personal use is permissible under the following conditions:

  1. Does not consume more than a trivial amount of employee time or resources,

  2. Does not interfere with staff productivity,

  3. Does not preempt any business activity,

  4. Does not violate any of the following:

    a. Copyright violations – This includes the act of pirating software, music, books and/or videos or the use of pirated software, music, books and/or videos and the illegal duplication and/or distribution of information and other intellectual property that is under copyright.

    b. Illegal activities – Use of company information resources for or in support of illegal purposes as defined by federal, state, or local law is strictly prohibited.

    c. Commercial use – Use of company information resources for personal or commercial profit is strictly prohibited.

    d. Political Activities – All political activities are strictly prohibited on company premises. The company encourages all employees to vote and to participate in the election process, but these activities must not be performed using corporate assets or resources.

    e. Harassment – FrontRunnerHC strives to maintain a workplace free of harassment and that is sensitive to the diversity of its employees. Therefore, FrontRunnerHC prohibits the use of computers, e-mail, voice mail, instant messaging, texting, and the Internet in ways that are disruptive, offensive to others, or harmful to morale. For example, the display or transmission of sexually explicit images, messages, and cartoons is strictly prohibited. Other examples of misuse include, but are not limited to, ethnic slurs, racial comments, off-color jokes, or anything that may be construed as harassing, discriminatory, derogatory, defamatory, threatening or showing disrespect for others.

    f. Junk E-mail - All communications using IT resources shall be purposeful and appropriate. Distributing “junk” mail, such as chain letters, advertisements, or unauthorized solicitations is prohibited. A chain letter is defined as a letter sent to several persons with a request that each send copies of the letter to an equal number of persons. Advertisements offer services from someone else to you. Solicitations are when someone asks you for something. If workforce members receive any of the above, they are to delete the e-mail message immediately. Do not forward the e-mail message to anyone.

Generally, while it is NOT the policy of FrontRunnerHC to monitor the content of any electronic communications, the company is responsible for servicing and protecting its equipment, networks, data, and resource availability and therefore may be required to access and/or monitor electronic communications from time to time. Examples of this type of monitoring include, but are not limited to, an audit or cost analysis, research and testing to optimize IT resources, troubleshooting technical problems, and detecting patterns of abuse or illegal activity.

FrontRunnerHC reserves the right, at its discretion, to review any workforce member’s files or electronic communications to the extent necessary to ensure all electronic media and services are used in compliance with all applicable laws and regulations as well as company policies.

Workforce members using FrontRunnerHC IT assets, including telephone and voicemail, must understand there is no expectation of privacy. Workforce members should structure all electronic communications with recognition of the fact that content could be monitored, and that any electronic communication could be forwarded, intercepted, printed, or stored by others.

Workforce members are to avoid sending or forwarding Electronic Personal Health Information (ePHI) data of any type (encrypted, password-protected, etc.) through any form of electronic communication.

Workforce members are to take all steps necessary to avoid EVER emailing any content or attachments that may include ePHI.

If it is unavoidable, workforce members are to only use corporate-approved solutions (Microsoft Outlook and no other email application) in these situations. To encrypt the message, include the word “SECURE” in the subject line of the outgoing email message. The recipient will receive a notification email that a secure email is available for viewing from a secure website. The recipient is provided instructions to create a password and login to the secure portal to decrypt and securely read the message.

With the emergence of AI tools (e.g. ChatGPT, Bard) the impact on the workplace, workforce and data is recognized. While these new tools provide benefits and opportunities for creating and increasing efficiency and work functions, there are serious considerations regarding use of these tools, especially ensuring and maintaining data security.

Workforce members need to understand the use of AI tools means that any information shared will be retained by the AI system and will be publicly available.

Workforce members need to also understand that because of how AI tools gather information that in some situations the information and responses provide by these tools and systems may be false or incorrect. Any information and responses generated by AI tools should be reviewed and verified by a human. Workforce members will only use those AI tools approved by the organization. Use of AI tools is only for authorized business purposes and in accordance with applicable laws, regulations, and company policies.

All AI tools will be reviewed and evaluated, before approval, to ensure the tool’s functions, security features, terms of service and privacy policy align with the organization’s security and data protection policies and standards.

AI Usage Guidelines

Use of AI tools will align with the organization’s acceptable use standards and policies to ensure proper legal and ethical use of these tools. Workforce members will ensure protection of confidential data. No data that is confidential, proprietary, or protected by law or regulation will be uploaded or used with any AI tools without prior approval from management or the IT Security department. This includes data related to customers, workforce members, business partners, vendors, or suppliers.

Use of AI tools will align with the organization’s security policies and standards to ensure best practices are applied to the use of these tools. This includes using strong passwords, keeping software up-to-date, and following data retention and disposal policies.

Use of AI tools for any work function should be documented for tracking purposes in the event of any issues or further follow up is required. Any suspected security breaches, misuse, or unauthorized access of AI tools should be reported immediately to management or the IT Security department. Workforce members may not use AI tools or any associated AI product or system for the following:

  1. Automated decision-making processes with legal or similarly significant effects (e.g. employment hiring practices), unless the final decision is made by a human being.

  2. Generating individualized advice that in the ordinary course of business would be provided by a licensed professional. This includes, for example, financial, legal and medical (e.g. diagnosis, treatment) advice.

FrontRunnerHC recognizes that workforce members may wish to access and use social media for personal activities and interests outside of work time.  This policy does not intend to discourage or unduly limit personal expression or online activities.  The Company respects the right of any employee to maintain their own personal blog or web page or to participate in social networking, including but not limited to Facebook, X (formally known as Twitter), and LinkedIn. All rules regarding confidential and proprietary business information apply in full to blogs, web pages, and any social networking sites. Any information that cannot be disclosed through a conversation, a note or an e-mail also cannot be disclosed in a blog, web page, social networking, or similar site. Workforce members are personally responsible for the content published in a personal capacity on any form of social media platform.  When in doubt, they should seek guidance from the company on how to comply with employment obligations.

Use of personal posts should not disclose information that would otherwise not be disclosed, speculate on policy or possible policy, or indicate possible future decisions of the company.  Whether an employee is posting something on his or her own blog, web page, social networking site, or on someone else’s, if the employee mentions the Company and also expresses either a political opinion or an opinion regarding the Company’s actions, the post must include a disclaimer. The post should specifically state that the opinion expressed is his/her personal opinion and not the Company’s position.

Personal social media accounts should not be created with or associated with any corporate or company related email accounts except for LinkedIn accounts that are used for business reasons.

Employees with any questions should review the guidelines above and/or consult with their manager.

All media requests should be directed to the Marketing Leader and CEO.

Failure to follow these guidelines may result in discipline, up to and including termination.

Workforce Members can choose to use their personal mobile devices to connect to company email and team communication tools (using Microsoft Outlook and Microsoft Teams). Personally owned devices cannot be connected to any other company network resources for any other purposes.

To meet corporate security standards, Workforce members agree to allow their personally owned mobile device to be enrolled by the company’s mobile device management software which will enforce certain security requirements (e.g. screen unlock code) onto the device. Workforce members further agree that company-provided applications and related data can be remotely wiped by IT management should the phone be lost or stolen, or if the user terminates his or her employment with the company.

Workforce members agree to a general code of conduct that recognizes the need to protect confidential information that may be accessed using a mobile device. This code of conduct includes, but is not limited to:

  • Doing what is necessary to ensure the adequate physical security of the device.

  • Maintaining the software configuration of the device including the operating system and the applications installed.

  • Preventing the storage of sensitive FrontRunnerHC data in unapproved applications on the device.

  • Ensuring the device’s security controls are not subverted via hacks, jailbreaks (gaining access to the operating system of a device usually to run modified or unauthorized software), security software changes and/or security setting changes.

  • Reporting a lost or stolen device immediately.

  • Establishing and maintaining passwords for devices. Despite some aspects of the personally owned smartphone and tablet being centrally managed by the IT department, any support needs or issues related to the personally owned device outside of the company-provided applications remains the responsibility of the device owner. Specifically, the device owner is responsible for:

  • Settling any service or billing disputes with the carrier.

  • Purchasing any required software not provided by the manufacturer or wireless carrier.

  • Device registration with the vendor and/or service provider.

  • Maintaining any necessary warranty information.

  • Battery replacement due to failure or loss of ability to hold a charge.

  • Backing up all data, settings, media, and applications.

  • Installation of software updates/patches (exception for those installed by FrontRunnerHC .

  • Device enrollment with the IT department.

  • Assuming full liability for risks including, but not limited to, the partial or complete loss of FrontrunnerHC personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable. To meet security standards for a personally owned device, the following requirements are to be used for accessing FrontRunnerHC networks:

  • The device owner is responsible for securing their device to prevent sensitive data from being lost or compromised and to prevent viruses from being spread. Removal of security controls is prohibited.

  • The device owner is forbidden from copying sensitive data from email, calendar, and contact applications to other applications on the device or to an unregistered personally owned device.

  • Sensitive data will only be sent from a mobile device using corporate-approved secure email.

  • The device operating system software and configurations will be maintained to minimum mobile device management policies. If some aspect of the device falls below these minimums (e.g. the version of the operating system becomes too old), a push notification is automatically sent to the device for the device owner to address. FrontRunnerHC reserves the right to monitor and protect the integrity and security of its network and data. FrontRunnerHC has the right to, at will:

  • Monitor corporate messaging systems and data including data residing on the device owner’s mobile devices.

  • Modify, including remote wipe of the work profile, the registered mobile device configuration if FrontRunnerHC believes the:

    • Device is lost, stolen, or believed to be compromised.
    • Device is found to be non-compliant with this policy.
    • Device inspection is not granted in accordance with this policy.
    • Device belongs to a device owner who no longer has a working relationship with FrontRunnerHC

Note: While FrontRunnerHC will make reasonable efforts to prevent the workforce member’s personal data from being lost in the event it must remote wipe a device, it is the workforce member’s responsibility to take additional precautions, such as backing up personal email, contacts, apps, etc.

When a workforce member terminates employment with FrontRunnerHC the IT department will have the device remotely wiped of all FrontRunnerHC related applications and data contained within the work-profile.

Any workforce member found to have violated this policy may be subject to disciplinary actions.

For workforce members within the office, access to their workstations and systems (File, print, SharePoint, etc.) are by username/password as provided by IT.

For workforce members needing access to the Non-Production and/or Production systems (e.g., PatientRemedi, Credit Balance, etc.), in addition to a separately assigned username and password, they will also require multi-factor authentication.

All workforce members will always require multi-factor authentication to access any FrontRunnerHC resource.

1.16. Transfer of Sensitive and Confidential Information

Section titled “1.16. Transfer of Sensitive and Confidential Information”

All workforce members must recognize the sensitive nature of data maintained by FrontRunnerHC and hold all data in the strictest confidence. When confidential or sensitive information from one individual is received by another individual while conducting official business, the receiving individual shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing individual. Any purposeful release of data to which a workforce member may have access is a violation of FrontRunnerHC policy and will result in personnel action and along with potential legal action.

The FrontRunnerHC enterprise network environment is maintained with a wide range of security protections in place, which include features such as virus and malware protection, e-mail file type restrictions, firewalls, anti-hacking hardware and software, etc.

Personal software shall not be used on FrontRunnerHC computers or networks. No unapproved software may be downloaded. If a need for specific software exists, workforce members are to submit a request to their supervisor or department head. Workforce members will not use FrontRunnerHC purchased software on home or on non-corporate computers or equipment.

No personal hardware may be used except smartphones which may ONLY be used for Microsoft Outlook (E-Mail) access, Microsoft Teams (intra-personnel communication) and multi-factor authentication tokens.

FrontRunnerHC proprietary data, including but not limited to patient information, IT systems information, financial information, or human resource data, will not be placed on any computer that is not the property of the company without written consent of the respective supervisor or department head.

Since FrontRunnerHC does not control or support non-company computer systems, FrontRunnerHC cannot be sure of the methods that may or may not be in place to protect any confidential or sensitive information, and it is crucial to FrontRunnerHC to effectively protect all data.

If a supervisor or department head receives a request to transfer company data to a non-company computer system, the supervisor or department head must notify the Privacy Officer or appropriate personnel of the intentions and the need for such a transfer of data.

1.18. De-Identification/Re-Identification of ePHI

Section titled “1.18. De-Identification/Re-Identification of ePHI”

As directed under the Health Insurance Portability and Accountability Act (HIPAA), all personal identifying information is to be removed from all data that falls within the definition of Personal Health Information (PHI) before it is stored or exchanged.

De-identification is defined as the removal of any information that may be used to identify an individual or relatives, employers, or household members. PHI includes:

  • Names
  • Addresses
  • Geographic subdivisions smaller than a state
  • All elements of dates directly related to the individual (Dates of birth, marriage, death, etc.)
  • Telephone numbers
  • Facsimile numbers
  • Driver’s license numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers, certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers
  • Full face photographic images and any comparable images

Re-identification of confidential information: A cross-reference code or other means of record identification is used to re-identify data if the code is not derived from or related to information about the individual and cannot be translated to identify the individual. In addition, the code is not disclosed for any other purpose nor is the mechanism for re-identification disclosed.

All users (employees, contractor, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this policy and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this policy and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.

RevDescriptionDateApproved
-Policy createdJanuary 2018M Machin
1.0Added paragraph 2.13December 2018M Machin
2.0Remove references to BCS for IT Support; add 2.12 Social MediaOctober 2020M Machin
3.0Reviewed content. Made edit changes to provide more detail to sections and ensure language aligns with other policies and with HIPAA requirementsSeptember 2022M Machin
4.0Reviewed content; minor revisions to Social Media PolicyOctober 2023S Melvin
5.0Addition of Artificial Intelligence content at 32.2.12March 2024M Machin
6.0Reviewed content; No updates neededAugust 2025S Melvin

blah