AUP – Acceptable Use Policy

Meghan McParland on February 17, 2025

In the context of Intellectual and Developmental Disabilities (IDD) care, an Acceptable Use Policy (AUP) is a set of rules and guidelines that govern the proper use of an organization’s technology, data, and systems. It ensures that staff, caregivers, and other authorized users follow best practices when handling sensitive information, such as protected health information (PHI), electronic health records (EHR), and Medicaid billing data.

Key Components of an Acceptable Use Policy in IDD Care

  1. Data Privacy & Confidentiality
    • Prohibits unauthorized access to individuals’ personal health information (HIPAA compliance).
    • Defines how PHI and personally identifiable information (PII) should be stored, accessed, and shared.
  2. Electronic Health Records (EHR) and Documentation
    • Specifies proper documentation practices to ensure accuracy and compliance.
    • Outlines consequences for altering or falsifying records.
  3. Use of Agency-Owned Devices and Systems
    • Sets rules for using agency-owned computers, mobile devices, and email accounts.
    • Defines whether personal devices can be used for work-related tasks.
  4. Cybersecurity & System Access
    • Requires strong passwords and multi-factor authentication for system logins.
    • Restricts access to only authorized personnel based on job roles.
    • Prohibits sharing login credentials or leaving systems unlocked when unattended.
  5. Email, Internet, and Social Media Usage
    • Prohibits discussing or sharing PHI via unsecured email or social media.
    • Limits personal use of the internet on agency devices.
    • Establishes guidelines for professional communication.
  6. Reporting Security Breaches or Violations
    • Defines procedures for reporting lost/stolen devices, unauthorized access, or suspicious activity.
    • Outlines disciplinary actions for policy violations.

Why an AUP is Important for IDD Providers

  • Ensures compliance with HIPAA and state regulations.
  • Protects sensitive client data from misuse or breaches.
  • Reduces liability risks for IDD provider agencies.
  • Provides clear expectations for employees regarding technology and data use.