Effective January 1, 2022
The Health Plan is a group health plan sponsored by the University. The University’s workforce members create, receive, maintain, or transmit electronic protected health information (as defined in the Privacy Policy) on behalf of the University, for plan administration functions. The Health Plan is administered by a third-party administrator and has one or more business associates that perform functions for the Health Plan.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and their implementing regulations and guidance require the Health Plan to implement various security measures with respect to electronic protected health information (electronic PHI).
Electronic PHI is PHI that is transmitted by or maintained in electronic media.
Electronic Media means:
- (1) Electronic storage material on which data is or may be recorded electronically, including devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
- (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet, intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including paper, voice via telephone, and facsimile, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
No third-party rights (including but not limited to rights of Health Plan participants, beneficiaries, or covered dependents) are created by this Security Policy. The Health Plan reserves the right to amend or change this Security Policy at any time (and even retroactively) without notice. To the extent that this Security Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon the Health Plan. This Policy does not address requirements under state law or federal laws other than HIPAA.
I. Security Official
The Director of Human Resources is the Security Official for the Health Plan. The Security Official is responsible for the development and implementation of the Health Plan’s policies and procedures relating to security, including but not limited to this Policy. The Security Official will coordinate the Health Plan’s security activities with the Plan’s Privacy Official.
II. Risk Analysis
The Health Plan will rely on the risk analysis performed by the University to identify threats, vulnerabilities, and risks to electronic PHI.
III. Risk Management
The Health Plan relies on the University to identify and manage risks to electronic PHI by limiting vulnerabilities to a reasonable and appropriate level, taking into account the following:
- The University’s and the Health Plan’s size, complexity, and capabilities;
- The University’s and the Health Plan’s technical infrastructure, hardware, software, and security capabilities;
- The costs of security measures; and
- The criticality of the electronic PHI potentially affected and the probability of the various risks.
IV. Administrative, Physical, and Technical Safeguards
HIPAA’s security rule requires the University to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that the University creates, receives, maintains, or transmits on behalf of the Health Plan. The Health
Plan adopts the following safeguards implemented by the University:
Administrative Safeguards
| Standard | Implementation Specification | Documentation | Description |
| Security Management Process | Sanction Policy (Required) | Apply appropriate sanctions against workforce members who fail to comply with the Health Plan’s security policies and procedures. | |
| Information System Activity Review (Required) | Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. | ||
| Assigned Security Responsibility | No implementation specifications | Appoint a security official. | |
| Workforce Security | Authorization and/or Supervision (Addressable) | Implement procedures for the authorization and supervision of workforce members who work with electronic PHI or who work in locations where it might be accessed. | |
| Workforce Clearance Procedure (Addressable) | Implement procedures to determine that a workforce member’s access to electronic PHI is appropriate. | ||
| Termination Procedures (Addressable) | Implement procedures to terminate access to electronic PHI when the employment of a workforce member ends, or when it is determined that it is not appropriate for a certain workforce member to have access to electronic PHI. | ||
| Information Access Management | Access Authorization (Addressable) | Implement policies and procedures to grant access to electronic PHI, for example, through access to a workstation, transaction, program, process, or other mechanism. | |
| Access Establishment and Modification (Addressable) | Implement policies and procedures that, based on the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. | ||
| Security Awareness and Training | Security Reminders (Addressable) | Implement procedures to distribute periodic security updates. | |
| Protection From Malicious Software (Addressable) | Implement procedures to guard against, detect, and report malicious software. | ||
| Login Monitoring (Addressable) | Implement procedures to monitor login attempts and to report discrepancies. | ||
| Password Management (Addressable) | Implement procedures to create, change, and safeguard passwords. | ||
| Security Incident Procedures | Response and Reporting (Required) | Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the entity; and document security incidents and their outcomes. | |
| Contingency Plan | Data Backup Plan (Required) | Establish and implement procedures to create and maintain retrievable, exact copies of electronic PHI. | |
| Disaster Recovery Plan (Required) | Establish (and implement as needed) procedures to restore any loss of data. | ||
| Emergency Mode Operation Plan (Required) | Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic PHI while operating in emergency mode. | ||
| Testing and Revision Procedures (Addressable) | Implement procedures for periodic testing and revision of contingency plan. | ||
| Applications and Data Criticality Analysis (Addressable) | Assess the relative criticality of specific applications and data in support of other contingency plan components. | ||
| Evaluation | No implementation specifications | Perform periodic technical and nontechnical evaluations of safeguards. | |
| Business Associate Contracts and Other Arrangements | Written Contract or Other Arrangement (Required) | Document the business associate’s satisfactory assurances through a written contract or other arrangement that meets the requirements of the security rule. |
Administrative Safeguards
| Standard | Implementation Specification | Documentation | Description |
| Facility Access Controls | Contingency Operations (Addressable) | Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operation plan. | |
| Facility Security Plan (Addressable) | Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. | ||
| Access Control and Validation Procedures (Addressable) | Implement procedures based on a person’s role or function to control and validate his or her access to facilities, including visitor control and control of access to software programs for testing and revision. | ||
| Maintenance Records (Addressable) | Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks). | ||
| Workstation Use | No implementation specifications | Implement policies and procedures that specify the proper functions, performance, and physical attributes of workstations that can access electronic PHI. | |
| Workstation Security | No implementation specifications | Implement safeguards that permit only authorized users to gain physical access to workstations that can access electronic PHI. | |
| Device and Media Controls | Disposal (Required) | Implement policies and procedures to address the final disposition of electronic PHI, and/or the hardware or electronic media on which it is stored. | |
| Media Reuse (Required) | Implement procedures for removal of electronic PHI from electronic media before the media are made available for reuse. | ||
| Accountability (Addressable) | Maintain a record of the movements of hardware and electronic media and any person responsible therefor. | ||
| Data Backup and Storage (Addressable) | Create a retrievable, exact copy of electronic PHI, when needed, before movement of equipment. |
Administrative Safeguards
| Standard | Implementation Specification | Documentation | Description |
| Access Control | Unique User Identification (Required) | Assign a unique user name and/or number for identifying and tracking user identity. | |
| Emergency Access (Required) | Establish (and implement as needed) procedures for obtaining necessary electronic PHI during an emergency. | ||
| Automatic Logoff (Addressable) | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. | ||
| Encryption and Decryption (Addressable) | Implement a mechanism to encrypt and decrypt electronic PHI (at rest). | ||
| Audit Controls | No implementation specifications | Implement hardware, software, and/or procedures to record and examine activity in systems that store or use electronic PHI. | |
| Integrity | Mechanism to Authenticate Electronic PHI (Addressable) | Implement electronic mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner. | |
| Person or Entity Authentication | No implementation specifications | Implement procedures to verify the identity of a person or entity seeking access to electronic PHI. | |
| Transmission Security | Integrity Controls (Addressable) | Implement security measures to ensure that electronically transmitted electronic PHI is not improperly modified without detection. | |
| Encryption (Addressable) | Implement a mechanism to encrypt electronic PHI (in transit) whenever it is deemed appropriate. |
Administrative Safeguards
| Standard | Implementation Specification | Documentation | Description |
| Business Associate Contracts or Other Arrangements | Business Associate Contracts or Other Arrangements (Required) | The Health Plan may not permit a business associate to create, receive, maintain, or transmit electronic PHI on the Health Plan’s behalf without a business associate contract (or, in limited cases, another arrangement). | |
| Organizational Relationships | Administrative, Physical, and Technical Safeguards; Agents and Subcontractors; Adequate Separation; Report (Required) | The Health Plan may not disclose electronic PHI to the University unless the plan document has been amended to require that the University implement certain safeguards and take certain other steps. |
V. Health Plan Document
The Health Plan document shall include provisions requiring the University to:
- implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that the University creates, receives, maintains, or transmits on behalf of the Health Plan;
- ensure that reasonable and appropriate security measures support the Health Plan document provisions providing for adequate separation between the Health Plan and the University(which were adopted as described in the Health Plan’s privacy policy);
- ensure that any agents to whom the University provides electronic PHI agree to implement reasonable and appropriate security measures to protect the electronic PHI; and
- report to the Security Official any security incident of which the University becomes aware.
VI. Disclosures of Electronic PHI to Third-Party Administrator and Other Business Associates
The Health Plan permits the third-party administrator and other business associates to create, receive, maintain, or transmit electronic PHI on its behalf. The Health Plan has obtained or will obtain satisfactory assurances from all business associates that they will appropriately safeguard the electronic PHI. Such satisfactory assurances shall be documented through a written contract containing all of the requirements of the HIPAA security regulations and specifically providing that the business associate will:
- implement administrative, physical, and technical safeguards and documentation requirements that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that the business associate creates, receives, maintains, or transmits on behalf of the Health Plan;
- ensure that any subcontractors that create, receive, maintain, or transmit electronic PHI on behalf of the business associate agree to comply with all of the requirements of the HIPAA security regulations to protect the electronic PHI;
- report to the Health Plan any security incident or breach of unsecured PHI of which the business associate becomes aware;
- take any contractually required steps with respect to breach notification requirements; and
- authorize termination of the contract by the Health Plan if the Health Plan determines that the business associate has violated a material term of the contract.
VII. Breach Notification Requirements
The Health Plan will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if the Health Plan or one of its business associates discovers a breach of unsecured PHI.
VIII. Documentation
The Health Plan’s security policies and procedures shall be documented, reviewed periodically, and updated as necessary to respond to environmental or operational changes affecting the security of Health Plan electronic PHI, and any necessary changes to policies or procedures will be documented and implemented promptly. Policies, procedures, and other documentation controlled by the Health Plan may be maintained in either written or electronic form. The Health Plan will maintain such documentation for at least six years from the date of creation or the date last in effect, whichever is later. The Health Plan will make its policies, procedures, and other documentation available to the Security Official and the University, the third-party administrator, and other business associates or other persons to the extent they are responsible for implementing the procedures to which the documentation pertains. The Health Plan may limit disclosures of policies and procedures if it determines that providing access to the policies and procedure would pose a security risk.
IX. Security Policy for Fully Insured Component Benefits
The Plan will keep the fully insured component benefits’ electronic PHI secure in accordance with the HIPAA security regulations. It is the Plan’s policy, working together with the Insurer, to:
- Ensure the confidentiality, integrity, and availability of the Plan’s electronic PHI;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of the electronic PHI;
- Protect against any reasonably anticipated uses or disclosures of electronic PHI that are not permitted by HIPAA; and
- Ensure workforce compliance with the HIPAA security regulations and this policy.
Except for functions performed by the University using Exempt Information, all of the Plan’s functions related to fully insured component benefit, including creation and maintenance of its records, are carried out by the Insurer. The Plan does not own or control any of the equipment or media used to create, maintain, receive, and transmit electronic PHI relating to the fully insured component benefits of the Plan, or any of the facilities in which such equipment and media are located. Such equipment, media, and facilities are owned or controlled by the Insurer. Accordingly, the Insurer creates and maintains all of the electronic PHI relating to the insured component benefits of the Plan, owns or controls all of the equipment, media, and facilities used to create, maintain, receive, or transmit electronic PHI relating to the insured component benefits of the Plan, and has control of its employees, agents, and subcontractors that have access to electronic PHI relating to the Plan. The Plan has no ability to assess or modify any potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI relating to the insured component benefits of the Plan—that ability lies solely with the Insurer.
The Plan has no access to or control over the Insurer’s employees, equipment, media, facilities, policies, procedures, or documentation affecting the security of electronic PHI relating to the insured component benefits of the Plan, and the Insurer is a covered entity that is responsible under HIPAA to implement security measures with respect to electronic PHI (including electronic PHI relating to the Plan). The Insurer’s own security policies and procedures for electronic PHI of the Plan are adopted by the Plan.
Based on risk analysis, the Plan made a reasoned, well-informed and good-faith determination on the implementation of the HIPAA security regulations that it need not take any additional security measures, other than the measures of the Insurer, to reduce risks to the confidentiality, integrity and availability of electronic PHI for fully insured component benefit programs.