Policy: 191

Therap – Electronic Data Management

MDCBDSN shall use Therap, an electronic data management system for documentation and file management.


Agency staff will be trained in the following procedures:

  1. Protected Health Information (PHI) of individuals should always be communicated securely, for example using secure HTTPS, a cryptographically secured protocol and interfaces.
  2. Staff will be instructed in the authorized use of PHI for individuals in their care and not to discuss confidential information outside of their place of employment.
  3. Users need to proceed with caution when they are saving electronic files containing PHI or files exported from Therap to Excel or PDF in a shared computer.
  4. Users should not share their personal login information with others.
  5. Users should not write down their login information on paper or save them in an electronic file that can be accessed by other users.
  6. Provider Administrators will establish a password policy for the agency.
  7. While accessing this system from a shared computer or a public place, user should not leave the computer screen unattended, and delete all information from those computers, including clearing caches, cookies and temporary files.
  8. All agency employees are advised to not store data on agency or personal computers, laptops or other storage devices; the files containing PHI should be deleted after the work has been completed.
  9. Management reports, Behavior information, Nursing, summary reports and other reports containing PHI may be printed or copied for use as required for agency business, as provided in state and federal regulation and agency policy.

Provider administrators will be trained by Therap Services staff in the use of management of electronic data within the secure database. These selected Provider Administrators are the persons responsible for proper assignment of access privileges to users, setting up password policies and activating/deactivating user accounts. They will be required to have a clear understanding and sound knowledge about the various application capabilities and the underlying HIPAA regulations and E-sign policy. These include:

Access Control: Administrators are responsible for assigning proper roles and privileges to users to grant access to the system while at the same time restricting that access only to the information they are authorized to see. Provider Administrators are also responsible for updating these access privileges assigned to users in accordance with their changing job responsibility and authority.

Implement Password Policy: Provider Administrators are able to set up and implement a suitable password for the agency by specifying a number of properties including the minimum length, number of letters, digits, and special characters required and the policy regarding the expiration period of passwords. The Agency shall not record, inquire of any employee or assign passwords to employees. The agency may reset a temporary password at the request of an individual employee who has been locked out of the system. The employee will be prompted and requested to reset their temporary password by the Therap System.

Managing User Accounts: Provider Administrators are responsible for creating and activating Therap accounts for employees and providing them with the login information they need to access these accounts. Provider Administrators need to instruct new account holders to choose a new password for themselves once they start using the system. If a user forgets his password, login name or provider code, they will have to go to their respective Provider Administrators to collect this information (Therap customer Support will not alter or supply users' login information, except for agency Provider Administrators). Provider Administrators may also disable an employee's user account when they are leaving the organization, on extended leave, or administrative leave.

Assignment of Roles and Caseloads: Therap implements a multilevel access mechanism based on roles and individuals. Providers can specify the level of access available to a particular user of the system and grant permission accordingly. This only allows users to have access to information they are authorized to work with. Provider Administrators shall assign each User a specific list of roles for access privileges as well as access to a specific caseload(s) of individuals based upon their need to know, access and level of responsibility for those individuals.

Access to Therap during Non-Work Hours: All non-exempt and direct care employees shall be instructed not to access Therap during non-scheduled work hours. Employees are not required by the agency and are not authorized to access the Web-Based Electronic Data Management System during non-scheduled work hours.

Message Integrity: All communications between end users browser and the Therap application is carried over HTTPS, a crytographically secured protocol. No third party can modify the data transferred. No user can modify the data stored in Therap, without going through the application. The data is stored in multiple secured locations, guaranteeing its safety from natural and manmade disasters.

Secure Sockets Layer (SSL): SSL is the international standard used to ensure protection of data during transmission over the Internet. SSL provides endpoint authentication and communications privacy over the Internet using cryptography. The protocols allow client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering and message forgery. Called communication from the user to Therap system use SSL and thus are secure during transmission.

Non-Repudiation: As the data is stored securely, no user can access the data without proper privilege and audit trail (activity tracking) and no user can deny the association of his/her identity with a document stored in Therap.

User Authentication: All users, including Therap staff, must authenticate with a unique login name and a secret password to gain access to the system.

Session Expiration: Therap has a session expiration mechanism such that a session expires when a user has not used the system (i.e., has not hit any key on the keyboard or clicked on a button on the form) for half an hour, before starting to enter information again. The system displays a countdown message for 5 minutes before the session actually expires; if the user wants to resume work, they can cancel the expiration simply by clicking a button on the countdown message. This is a security feature that prevents unauthorized people from using your login in cases where users may have left the program without logging out.

Altering over Non-Secure Media: One challenge to security is the use of non-secure media such as e-mail, text messaging and paging. The Therap system assures that no Protected Health Information is transmitted over these media, while still providing a flexible alerting mechanism. For example, users may configure their notification properties to receive email or text messages that would let them know about critical incidents reports filed without revealing any Protected Health Information. When secure media, such as SComm and First Page, are used for alerting, the system allows Protected Health Information, such as the individual's name to be included.

Tracking User Activities: Provider Administrators are able to track all users' activities by using the Therap Activity Tracking module. The module is equipped with the capability to record and report on activities of all user accounts within the agency. The Activity Tracker shall record all Users accessing the system, time, date, login name, User name, IP address used to access the system, all activity, including viewing of information, creation or modification of any and all data records. Provider Administrator with this role or option can detect any attempts to breech the security system (Failed login attempts) and other misuse. The Therap system is monitored by security systems and staff for unusual activity within the accounts. Therap Services will provide training and support materials for Provider Administrators to learn about these and other HIPAA complaint Therap features, as needed.

Staff Training: The agency will provide training of all new employees in the use of Therap, method and requirements for documentation and the use of searches, summary data and reports for all modules. Online training, "walkabouts", automated training, webinars, a User guide, online help, Feedback, FAQs, etc., are available for all users on: www.TherapServices.net.

Clear to Zero: All employees with direct support responsibilities are required to clear the First Page or Dashboard of their Therap account each day at the beginning of their shift of all numbers, which are notifications of new information about the individuals in their care or important communications from the agency. The employee's FirstPage or Dashboard can be cleared by opening and reading all information contained in these links. The employee is responsible for all information contained in these communications and the Therap system does record that these items that have been viewed and acknowledged by the employee.

Printable Format or Record Access: All information contained with The Electronic Data Management System (Therap) is printable and can be reproduced upon request for any quality monitor, licensing staff, survey team, auditor or guardian upon request.

Readily Accessible: The Electronic Data Management System (Therap) shall be accessible to any authorized person including licensing staff, investigators, surveyors, auditors, and monitors upon request, twenty-four hours per day. The Provider Administrator of the agency can provide immediate and complete access to the electronic records of all individuals to an authorized person, through online access and remote approval. The list of Provider Administrators for the agency is available to all employees under their "My Account" section located on their FirstPage or Dashboard.

Deletion of Information: The Electronic Data Management System (Therap) shall maintain all data submitted by the Users, in the original form, and as approved, updated or modified, all versions of reports, data and information shall be archived and retrievable. Any sensitive or confidential documents (Abuse, Neglect, Unlawful Acts, etc.) shall be available upon request by authorized persons to review and may be accessed online with restricted access. Records and data shall not be deleted from the system, any such requests for the deletion of any information shall be recorded and accessible to auditors, investigators, and appropriate authorities. This information shall be recorded in the Provider Administrators' Secure Communications, and shall contain a written explanation of the request, with the identification of the User making the request, date and time, data information, and Form ID number.

Electronic Communications Systems: Computer facilities owned, leased or otherwise maintained by the Company are intended for use by qualified and authorized personnel and only in the conduct of official business.

It is important that every employee understand that all electronic communication systems used while at work, including but not limited to the Internet, telephone system and email, as well as all information transmitted, received, or stored in these systems are property of the Company. Thus, the Company needs to be able to access and/or disclose any information in the electronic communication system, even those protected by your personal password, at any time, with or without notice to the employee. Employees have no expectation of privacy in connections with the use of these systems or the transmission, receipt or storage of information in such systems. Therefore, employees should not use these electronic systems to store or transmit any information that they do not want management and/or other employees to see, hear or read.

Employee's communication through these electronic communication systems must always be handled in a professional and ethical manner since it reflects on the Company, the people we support, prospects, competitors, suppliers and other employers. Nothing should be communicated through the electronic communication system that would be inappropriate in any other medium or form of business communication. Specifically, the electronic communications systems are not to be used in a way that may be disruptive, illegal, offensive to others, or harmful to morale. Each employee is responsible for abiding by copyright and trade secret laws in the use and transmission of information.

The use of derogatory, inappropriate, discriminatory and/or non-professional communication, including but not limited to slander, harassment of any type (sexual, racial, etc.) or obscenity is prohibited. Similarly, there is to be no display or transmission of sexually explicit images, messages or cartoons.

All data contained in this system is Company property and should not be disclosed, accessed or manipulated for any purposes other than official business. No attempt should be made to override or deceive any security precautions assigned to the computer system. Employees are required to keep their passwords confidential, change them on a regular basis and to comply with all security procedures. The unauthorized use of a password or the unauthorized access to or retrieval of information transmitted or stored in the electronic communication system is strictly prohibited.

Attachment: Employee Acknowledgement Form


The purpose of this policy is to establish the use of Therap, providing the agency with the ability to comply with CMS Electronic Signature Guidance, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Uniform Electronic Transactions Act (UETA) and E-SIGN (The Electronic Signatures in Global and National Commerce Act), compliance guidelines and requirements for the use and storage of electronic data records for the agency. The agency's electronic data records in Therap will be made available via a special access account for review and will be retrievable for authorized state survey team members, auditors and investigative staff. All Therap modules will be made available for review, including activity tracking, secure communications, archive data, management reports, GER (Incident Reports), behavior data, eMAR, personal finance, IP, and ISP data and health tracking, billing information, staff training records, T-Log notes, periodic reports , etc.

Effective Date:
February 19, 2015