**This blog post is not legal advice, nor is it a substitute for legal advice.**

As a provider of the Student Health Record (SHR) solution for schools, our number one priority at MagnusHealth is the security of the Personal Health Information (PHI) that is collected and stored within our software. We are committed to maintaining the confidentiality, integrity and security of the personal information about our current and prospective users. This is why we’ve implemented, and continue to enhance, a comprehensive privacy program. This program includes administrative, technical, and physical safeguards that are appropriate and applicable to our company, and ensure the safety of our users’ data.

As a part of our privacy program, we have established a privacy committee that is dedicated to informing both our Magnus employees and our school end-users, of our privacy policies and data security protocols. To uphold this responsibility, the committee conducts an annual privacy training for all employees and additional training sessions as policies and regulations change. Additionally, we limit access to personal information to those employees who reasonably need to come into contact with that data to provide services to our client schools. The Magnus privacy committee is also responsible for conducting annual departmental and company wide risk analysis with a third-party to ensure risks are handled and mitigated appropriately so that our policies adhere to current legislation.

In addition to our privacy policies and practices, Magnus has obtained a certification from TRUSTe and is an annual signatory of the Student Privacy Pledge. There are many steps that schools can take to ensure that their student and parent data is secure both within an SHR solution and internally at the school. Here are a few common mistakes that can be easily avoided by implementing a few data security best practices.

Individual User Accounts
Each user, whether health, athletic, counseling or administrative, should have their own account within school’s SHR account. By assigning individualized accounts, you ensure that each user is only accessing the information that is required for their task at hand. Every user should have their own login credentials, and user privileges that are aligned with that person’s job and/or duties. Individual accounts can also be audited for items such as: who charted a treatment note or uploaded a particular document.

Less is More
Every effort should be made to ensure the security of Protected Health Information (PHI). Thus, we should only grant the minimum amount of PHI access needed for an individual looking to complete a specific task. User privileges set within an SHR such as Magnus are quite granular and have the capability of limiting the students, documents, and treatments that a particular user can access. Here is an example of a step by step guide on how Magnus users can set up user privileges within their account:
http://training.magnushealth.com/userguide/how-to-setup-a-new-user-and-manage-user-privileges/

Communicating PHI via Email
When communicating PHI, you want to ensure that you’re utilizing a method that is secure. E-mail is not a secure method of communication and should not be utilized to transfer the health records or health information of a student, parent, or a faculty member. When sending out emails, you should refrain from placing personal identifiers within the email, other than the first initial and last name of a student. Student’s full name is considered PHI and should not be communicated via email. Additionally, health data and records received by e-mail as attachments should not be accepted internally at your school. Following this data security best practice, Magnus does not accept this type of personal data from our client schools. Communicating PHI should be completed through a secure portal, such as Sharefile, box.com, or an encrypted email server.

Working with too Many Open Tabs
Most online users tend to have several tabs open on their desktop as they go about performing their daily tasks. This is a common practice, but it presents a data security threat to users handling PHI while using an SHR solution. Due to multiple tabs being open at once within the same browser (i.e. Chrome or Firefox), there is an increased risk of the wrong information being entered into a student’s account. To avoid this, we advise users against this practice. As a safeguard, Magnus software offers  “Visit Log” and “Draft Note” features that allow users to save an unfinished note as a draft, begin charting on another student, then return to the draft note later to complete.

Incorrect Relationships
Magnus has observed another common data security challenge that could possibly compromise student PHI is the linking of a parent to the wrong student account. Within the Magnus SHR solution, accounts are created based on a “Vendor Key,” which is a unique identifier, typically a string of letters or numbers, that is specific to each student and parent account. Vendor Keys are not shared between the family members, so Student 1 may have a vendor key of “123” and Parent 1 may have a vendor key of “456”. Typically, the vendor keys are derived from the school’s Student Information System (SIS) or an integration with an SHR system. If the vendor keys are duplicated, or incorrectly assigned within the school’s database, then an account relationship may be inaccurate within an SHR system. Ensuring that the same vendor key is used for the lifetime of an account, and when updating account information through Secure File Transfer Protocol (SFTP) or integration, ensures that the parent and their student are linked properly.

Printing Personal Data
At Magnus Health, our number one priority is the security of our client school students’ data. We take security into consideration when building any new feature within our software. Each school plays a vital role in the protection of PHI as well. There are many places where personal data can be printed from within the Magnus SHR software:

• Magnus911 Emergency Cards
• Vital Health Record (VHR) reports
• Student Records

School staff should be mindful of when and where they are printing this personal student data. Prior to printing, ensure that you are at the printer when the documents are complete and ready for pick up. Once printed, store the documents in a secure location. Many Magnus client schools place their Magnus911 student emergency cards in a sealed envelope or a lock box when attending field trips.

The protection of your school and student data is important to Magnus, and should be a priority to all SHR providers and school staff. For more information on our Privacy Policies, or how you can protect student data at your school, please email privacy@magnushealthportal.com or check out our Privacy Webinar!

**This blog post is not legal advice, nor is it a substitute for legal advice.**