Everett School Employee Benefit Trust
HIPAA Security Policy
I. Introduction
Everett School Employee Benefit Trust (“Trust”) provides one or more group health plans subject to HIPAA’s security regulations (collectively the “Group Health Plan”) for eligible employees of the Everett School District (“District”). The Group Health Plan is sponsored by the District and the Everett Education Association (collectively the “Plan Sponsor”). Members of the District’s workforce may create, receive, maintain, or transmit certain limited amounts of electronic protected health information (as defined below) on behalf of the Plan Sponsor, for plan administration functions.
The Group Health Plan is
administered by one or more third-party administrators and has one or more business associates that perform functions for
subject to the security rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing administrative simplification security regulations (“Security Rules”).
Most of
the Group Health Plan
is provided pursuant to insurance policies issued by insurance companies (“Health Insurance Issuers”)
. Almost all of the electronic protected health information of the Group Health Plan resides with
the Group Health Plan’s third-party administrators and other business associates
these Health Insurance Issuers, which are also subject to HIPAA and the Security Rules. This Policy is complementary and supplementary to the HIPAA security policies of the Health Insurance Issuers. To the extent that PHI (defined below) is under the control of a Health Insurance Issuer, and has not been disclosed or released to any member of the District’s workforce, the Health Insurance Issuer has primary responsibility for compliance with the Security Rules
.
The purpose of this document is to set a policy for the Group Health Plan to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) security regulations concerning electronic protected health information, which are found at 45 C.F.R. Parts 160 and 164. HIPAA and its implementing regulations require the Group Health Plan to implement various security measures with respect to electronic protected health information (“ePHI”).
It is the Group Health Plan's policy to comply fully with the requirements of HIPAA’s security regulations. No third-party rights (including, but not limited to, rights of Group Health Plan participants, beneficiaries, or covered dependents) are intended to be created by this Policy. The Group Health Plan reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent that this Policy establishes requirements and obligations above and beyond those required by HIPAA, the Policy shall be aspirational and shall not be binding upon the Group Health Plan. This Policy does not address requirements under state law or federal laws other than HIPAA.
II. Definitions
| A. | Electronic Protected Health Information or ePHI is protected health information that is transmitted by or maintained in electronic media. |
| B. | Protected Health Information or PHI is the information that is subject to and defined in the Group Health Plan's privacy policies and procedures. For purposes of this Policy, PHI does not include the following, referred to in this Policy as “Exempt Information”: |
| 1. | summary health information, as defined by HIPAA’s privacy rules, for purposes of (a) obtaining premium bids or (b) modifying, amending, or terminating the Group Health Plan; |
| 2. | enrollment and disenrollment information concerning the Group Health Plan which does not include any substantial clinical information; |
| 3. | health information which has been de-identified in accordance with HIPAA’s privacy rules; or |
| 4. | PHI disclosed to the Group Health Plan and/or District under signed authorization that meets the requirements of the HIPAA privacy rules. |
C. Electronic Media means:
| 1. | Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or |
| 2. | Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice via telephone are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. |
III. Security Official
Molly Ringo is the Security Official for the Group Health Plan. The Security Official is responsible for the development and implementation of the Group Health Plan's policies and procedures relating to security, including but not limited to this Policy. The Security Official also shall hear all complaints regarding alleged violations of this Policy and shall ensure that the complaint and its disposition are appropriately handled and documented.
IV. Risk Analysis
The Group Health Plan, in connection with the District’s Human Resources Department, has undertaken a risk analysis to assess the potential vulnerabilities and risks to the confidentiality, integrity and availability of ePHI, with the following results:
The Group Health Plan has no employees. The Trustees of the Trust are not involved in the appeals of claim denials or in any other capacity concerning the processing of claims. All of the Group Health Plan's functions, including creation and maintenance of its records, are carried out by
the Health Insurance Issuers,
business associates of the Group Health Plan, and to a small extent, employees of the District’s Human Resources Department. The Group Health Plan does not own or control any of the equipment or media used to create, maintain, receive, and transmit ePHI relating to the Group Health Plan, or any of the facilities in which such equipment and media are located. Such equipment, media, and facilities are owned or controlled by the
third-party administrator, other
Health Insurance Issuers,
business associates, and to a limited extent, the District. Accordingly,
Health Insurance Issuers,
the business associates of the Group Health Plan
,
or the District: (1) create and maintain all of the ePHI relating to the Group Health Plan; (2) own or control all of the equipment, media, and facilities used to create, maintain, receive, or transmit ePHI relating to the Group Health Plan, and (3) control their employees, agents, and subcontractors who have access to ePHI relating to the Group Health Plan. The Group Health Plan has no or limited ability to assess or in any way modify any potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI being held by
third-party administrators
Health Insurance Issuers
and business associates.
Because the Group Health Plan has no access to or control over the employees, equipment, media, facilities, policies, procedures, or documentation of the
third-party administrators
Health Insurance Issuers
and
other
business associates affecting the security of the Group Health Plan ePHI, the
third-party administrators and other
Health Insurance Issuers and
business associates have undertaken certain obligations relating to the security of ePHI that they handle in relation to the performance of administration functions for the Group Health Plan, the Group Health Plan's policies and procedures, including this Policy, do not separately address the following standards (including the implementation specifications associated with them) established under HIPAA and are set out in Subpart C of 45 CFR Part 164, except in conjunction with the District’s Human Resources Department, as described in Section
VII
VIII
of this Policy:
| · security management process; | |||
| · workforce security; | |||
| · information access management; | |||
| · security awareness and training; | |||
| · security incident procedures; | |||
| · contingency plan; | |||
| · evaluation; | |||
| · facility access controls; | |||
| · workstation use; | |||
| · workstation security; | |||
| · device and media controls; | |||
| · access control; | |||
| · audit controls; | |||
| · integrity; | |||
| · person or entity authentication; and | |||
| · transmission security. | |||
The HIPAA security policies and procedures of the
third-party administrators
Health Insurance Issuers
and
other
business associates for ePHI of the Group Health Plan for the standards listed above, as well as the policy under these procedures as set forth in Section
VII
VIII
of this Policy, are adopted by the Group Health Plan.
V. Group Health Plan Document: Plan Sponsor’s Safeguards
The Group Health Plan documents include provisions requiring the Plan Sponsor to:
| · implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the Plan Sponsor creates, receives, maintains, or transmits on behalf of the Group Health Plan (“Plan’s ePHI”); | |||
| ·
ensure that reasonable and appropriate security measures support the Group Health Plan document provisions providing for adequate separation between the Group Health Plan and the Plan Sponsor
| |||
| · ensure that any agents or subcontractors to whom the Plan Sponsor provides the Plan’s ePHI agree to implement reasonable and appropriate security measures to protect the Plan’s ePHI; and | |||
| · report to the Security Official any security incident of which the Plan Sponsor becomes aware. |
VI. Risk Management
The Group Health Plan manages risks to its ePHI by limiting vulnerabilities, based on its risk analyses, to a reasonable and appropriate level, taking into account the following:
| · The size, complexity, and capabilities of the Group Health Plan; | |||
| · The Group Health Plan’s technical infrastructure, hardware, software, and security capabilities; | |||
| · The costs of security measures; and, | |||
| · The criticality of the ePHI potentially affected. |
Based on risk analysis discussed in section IV of this Policy, the Group Health Plan has made a reasoned, well-informed, and good-faith determination on the implementation of the HIPAA security regulations that the Group Health Plan need not take any additional security measures, other than the measures set forth herein and the measures adopted to reduce risks to the confidentiality, integrity and availability of ePHI: (a) in conjunction with the Human Resources Department of the District as described in Section
VII
VIII
; and (b) by the
third-party administrators and other
Health Insurance Issuers and
business associates of the Group Health Plan.
| VII. | Disclosures of ePHI to |
A business associate is an entity (other than the Plan Sponsor
or a Health Insurance Issuer
)
, such as a third-party administrator,
that:
| ·
performs or assists in performing a Group Health Plan function or activity involving the use and disclosure of PHI (including
| |||
| · provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI. |
The Group Health Plan permits
the third-party administrators and other
business associates to create, receive, maintain, or transmit ePHI on its behalf. The Group Health Plan has obtained or will obtain satisfactory assurances from all business associates that they will appropriately safeguard the information. Such satisfactory assurances shall be documented through a written contract containing all of the requirements of the HIPAA privacy and security regulations and specifically providing that the business associate will:
| · implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of all of the Plan’s ePHI that the business associate creates, receives, maintains, or transmits on behalf of the Group Health Plan; | |||
| · ensure that any agents or subcontractors to whom the business associate provides the Plan’s ePHI agree to implement reasonable and appropriate security measures to protect the Plan’s ePHI; | |||
| · take required steps with respect to notification requirements concerning breaches of unsecure PHI; | |||
| · report to the Group Health Plan any security incident of which the business associate becomes aware; and | |||
| · authorize termination of the contract by the Group Health Plan, if the Group Health Plan determines that the business associate has violated a material term of the contract. |
In addition to these requirements being contractual obligations of the business associate under the written contract,
effective February 17, 2010
a business associate of the Group Health Plan
will be
is
required under federal law and independent of such written contract to comply with the HIPAA security regulations to protect the security of the ePHI the business associate creates, receives, maintains, and transmits on behalf of the Group Health Plan. Thus, the Group Health Plan can reasonably rely that its business associates will comply with the HIPAA security requirements pursuant to applicable federal law.
| VIII. | HIPAA Security Compliance Measures for Group Health Plan in Conjunction with District’s Human Resources Department |
Certain employees of the District may have
limited
access to ePHI of the Group Health Plan for plan administration and other permissible purposes
. Typically, such ePHI is provided to these employees of the District by third-party administrators of the Group Health Plan via secured
, via access to secure
servers of the
third-party administrators. Access
Health Insurance Issuers or other secure means. If available, access
to these secured servers is password-protected, and only certain members of the Human Resources Department have passwords to access these servers. To
a
an even
more limited extent, it is possible that ePHI may be communicated via the District’s email system, and such ePHI is stored and used on District computers and other electronic media. The Group Health Plan, in conjunction with the District’s Human Resources Department, has undertaken necessary and appropriate steps, as described in this Section
VII
VIII
, to protect the security of the Plan’s ePHI which is created, received, maintained, or transmitted by the Human Resources Department (“HR Department”) employees.
A. Administrative Safeguards.
| 1. | Security Management Process. The following policies and procedures regarding security management of ePHI are adopted: |
| a. | Risk Analysis. The following is a description of the risk analysis undertaken to assess the potential vulnerabilities and risks to the confidentiality, integrity and availability of the Plan’s ePHI being used or held by certain District employees. The |
| b. | Risk Management. The following security measures are in place to reduce risks and vulnerabilities to the ePHI in Microsoft Outlook. |
| i. | The District’s Human Resources’ department is not open to the general public. Visitors or non-Department employees must be escorted by HR Employees. |
| ii. | HR Employees with access to ePHI are required to protect their passwords from other employees and from visitors by storing their passwords in secure locations. |
| iii. | Computers for the HR Employees have in place a mechanism by which the computer will lock-down after a period of 10 minutes of non-use. |
| iv. | Temporary employees will not be hired to fill HR Employee positions unless the temporary employees are fully trained regarding this policy and the HIPAA privacy policies relating to the Group Health Plan. Temporary employees will be screened to determine whether access to ePHI should be granted to them. |
| v. | In addition, the HR Department and the Group Health Plan will continue to implement other security measures already in place and described in the previous section, Risk Analysis, to protect the ePHI of the Group Health Plan. |
| c. | Sanction Policy. District employees who violate this policy are subject to disciplinary action, including, but not limited to, reprimands and termination. |
| d. | Information System Activity Review. On a periodic basis, the HR Department or a representative of the Group Health Plan will review records of information system activity, especially activity in Outlook, such as audit logs or access reports, to determine if security violations relating to the ePHI have occurred. The results of these reviews will be documented and kept in a secure file with the Security Official. |
| 2. | Workforce Security. The following policies and procedures regarding workforce security are adopted: |
| a. | Authorization and/or Supervision. Outside visitors and employees of other departments of the District are not authorized to be in the HR Department workplace unless they are supervised by HR Employees, who are trained not to allow unauthorized access to ePHI. HR Employees are required to monitor their workstations so that unauthorized employees or guests do not inadvertently view or have access to ePHI of the Group Health Plan. Computers of HR Employees are protected by unique user identification and passwords. HR Employees are required to log off of their computers or turn their computers off at night when cleaning crews are in the area. |
| b. | Workforce Clearance Procedures. Only HR Employees work on a daily basis with ePHI of the Group Health Plan. There is a screening process, which includes a background check in the hiring process, to determine that access to ePHI is appropriate for these employees. HR Employees only have access to ePHI for purposes of administration of the Group Health Plan. |
| c. | Termination Procedures. Access to ePHI will be terminated as soon as practicable when an HR Employee’s employment at the District terminates. When an HR Employee leaves the employment of the District, the employee is required to turn in all keys, badges and passcards for access to the building and to their previous workplaces. The entire accounts for such terminated employees, including passwords and unique user identifications, are immediately disabled on the District’s computer systems. |
| 3. | Information Access Management. The following policies and procedures regarding information access management are adopted. |
| a. | Isolating Healthcare Clearinghouse Functions. This standard does not apply to the Group Health Plan. |
| b. | Access Authorization. Only HR Employees have access to ePHI on a regular basis. Other personnel, such as those responsible for the District’s computers, are only granted access to ePHI on a very limited and “as needed” basis for issues dealing with the computer of an HR Employee. Any access to ePHI granted to non-HR Employee District personnel is also only the minimum necessary to accomplish the particular necessary task or function. |
| c. | Access Establishment and Modification. Only HR Employees have access to ePHI on a regular basis. If an HR Employee is transferred outside of the HR Department, the Plan’s Security Official and/or supervisory employees in the HR Department will take appropriate steps to block further access to ePHI of the Group Health Plan, including removing these files from Outlook Exchange for the employee and terminating their passwords to secure servers of |
| 4. | Security Awareness Training. The following policies and procedures regarding security awareness training are adopted. |
| a. | Security Reminders. HR Employees receive initial and continuing training in HIPAA security rules and this policy, as directed by the Security Official. The Security Official will periodically send emails or other communications reminding them of the rules and this policy, and will ensure that new HR Employees receive training as needed. |
| b. | Protections from Malicious Software. The District’s computers and computer networks and systems, including those used by the HR Employees, have protections against viruses and worms and similar malicious software programs. These protections are updated on a periodic basis. HR Employees may not install unauthorized software on their computers at work. |
| c. | Log-in Monitoring. After three attempts, District computers will not grant access to an individual user if the user attempts to enter the system and does not enter the correct password. In this instance, the employee in question must obtain a new password in order to operate the computer at his or her desk. Issues and discrepancies relating to log-in monitoring success and failures are reported to the Security Official. |
| d. | Password Management. Passwords to the computers of the HR Employees have certain characteristics that make them difficult to duplicate. All passwords are required to be changed every 90 days. HR Employees may not share their passwords with other employees and may not have passwords easily accessible at their workstations. |
| 5. | Security Incident Procedures. The following policies and procedures regarding security incidents are adopted. |
| a. | Response and Reporting. All HR Employees are required to report any security incidents to the Security Official for appropriate investigation and action. For purposes of this Policy, a security incident is any attempted or successful unauthorized access, use, disclosure, modification of destruction of information or interference with system operations in the District computers which would involve ePHI. The Security Official will respond to security incidents and will document the security incidents and outcomes. To the extent practicable, the Security Official will take steps to mitigate the harmful effects of the security incidents which are reported to the Security Official. |
6. Contingency Plan. The following contingency plans and policies are adopted.
| a. | Data Backup Plan. The District has a data backup plan which applies to the ePHI held on the HR Department computers. In addition, since the Group Health Plan is run by |
| b. | Disaster Recovery Plan. A disaster at HR Department offices would not effect in any large measure the day-to-day operations of the Group Health Plan. In the event of a disaster at the offices, essential ePHI would be obtained from data backup sources, from providers, from the |
| c. | Emergency Mode Operation Plan. In an emergency, the Group Health Plan would be operated, as it is now, through |
| d. | Testing and Revision Procedures. The District conducts fire drills and similar types of testing at the HR Offices. |
| e. | Periodic Review. The Group Health Plan will conduct periodic reviews of its contingency plans to determine whether revisions are necessary or desirable. |
| f. | Applications and Data Criticality Analysis. The most critical applications for ePHI are Outlook and the firewall software (i.e., the virus and worm protection software) utilized by the District. |
| 7. | Evaluation. The following policies and procedures regarding evaluation of its security safeguards are adopted. |
| a. | Periodic Technical and Non-Technical Evaluation. The Trustees of the Trust and the HR Department will conduct periodic evaluations (technical and non-technical) of its security safeguards to determine the continued protection of the ePHI of the Group Health Plan and to determine if new risks may be present. Such evaluations are appropriate when new technology, new risks or other changes to the security environment occur. |
B. Physical Safeguards.
| 1. | Facility Access Controls. The following policies and procedures regarding facility access controls are adopted. |
| a. | Contingency Operations. In an emergency, the Group Health Plan would be operated, as it is now, through the |
| b. | Facility Security Plan. The District offices have a facility security plan. Most doors to the building have controlled entrances which require keys for entrance. Visitors to the building must check in and be escorted by District employees. Any unauthorized entries are immediately reported to security personnel or as necessary to the Everett police department and other law enforcement officials. |
| c. | Access Control and Validation Procedures. Visitors to the District offices are escorted by District employees. Employees of other departments are not authorized to be in the Human Resources workplace unless they are supervised by HR Employees. Computers housing ePHI are protected by passwords. Computers are logged off or turned off at night when cleaning crews or other maintenance personnel are in the Human Resources department. |
| d. | Maintenance Records. The Security Official will document repairs and modifications to the physical components of the security systems which relate to ePHI of the Group Health Plan. |
| 2. | Workstations Use and Workstations Security. The following policies and procedures regarding workstations use and security are adopted. |
| a. | Proper Functioning and Physical Attributes of Workstations, Physical Safeguards for Workstations. District employees who are not employees of the HR Department are not authorized to be in the HR Department or to view the computers of HR Employees, unless such non-HR Department employees are adequately and properly supervised. Access to HR Employee workstations is controlled by unique user identification codes and passwords. HR Employees are required to log off of their computers at the end of the work day and when they are going to be away from their workstations for extended periods of time during the work day. See also the policies for Facility Security Plan. HR Employees are not authorized to access email with ePHI when they are off-site. |
| 3. | Device and Media Controls. The following policies and procedures regarding device and media controls are adopted. |
| a. | Proper Disposal of PHI and Hardware/Software Storing PHI. Before disposal of a computer in the HR Department, the Security Official or her designee shall insure that all ePHI in the computer is completely removed from the computer. Before such removal of the ePHI, any essential ePHI on the computer will be retrieved and stored elsewhere if it is not otherwise available. |
| b. | Media Re-Use. Before re-use of a HR Department computer by another District department, all ePHI on the computer is completely removed from the computer in a manner which makes its re-creation by a new user impossible. If ePHI is stored on CD, floppy discs or other similar electronic media, the ePHI will be completely removed prior to re-use of the electronic media, or the electronic media will be destroyed and not re-used. If ePHI is stored on CD, floppy discs or other similar electronic media, the media will be store in locked file cabinets. |
| c. | Accountability. The District maintains a record of all District computers by serial number and a log of the location of these computers. |
| d. | Data Backup and Storage. Appropriate steps will be undertaken to create a copy of essential ePHI on the computers of HR Employees if the computers are moved and such movement creates a risk of losing data or a risk to the integrity of the data. |
C. Technical Safeguards.
| 1. | Access Controls. The following policies and procedures regarding access controls are adopted. |
| a. | Unique User Identification. There is an assigned unique user name for identifying and tracking the identity of users of the HR Department computers, along with passwords. All passwords are required to be changed every 90 days. It is violation of this policy for HR Employees to allow another person access to or to use the HR Employee’s unique user identifications and/or passwords. All HR Employees must ensure that their passwords are not documented, written, or otherwise exposed in an insecure manner. If an HR Employee has a reason to believe that his or her user identification or password has in any way been compromised, he or she must report that security incident to the Security Official. |
| b. | Emergency Access Procedure. In the event of an emergency, ePHI of the Group Health Plan will be obtained through the |
| c. | Automatic Logoff. The computers of HR Employees have an automatic logoff feature. |
| d. | Encryption. |
| 2. | Audit Controls. The following policies and procedures regarding audit controls of the ePHI are adopted. |
| a. | Record Internal Uses of PHI by User. The District has in place computer programs which allow the District to record and examine activity by users. |
| 3. | Integrity. The following policies and procedures regarding integrity of ePHI are adopted. |
| a. | Mechanism to Authenticate ePHI. The official records of the Group Health Plan are held in the possession of the |
| 4. | Person or Entity Authentication. The following policies and procedures regarding person or entity authentication are adopted. |
| a. | Person/Entity Seeking Access is the One Claimed. The HR Department utilizes unique user ID and passwords to verify that persons seeking access to ePHI are the employees authorized to gain such access. |
| 5. | Transmission Security. The following policies and procedures regarding the security of transmissions of ePHI are adopted. |
| a. | Integrity Controls. Most of the ePHI obtained by HR Employees is located on secured servers from |
| b. | Encryption. Most of the ePHI obtained by HR Employees is ePHI transmitted to and from the |
D. Breaches of Unsecured PHI.
The Group Health Plan will comply with the requirements of HIPAA and implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if the Group Health Plan
, a Health Insurance Issuer
or
one of its
a
business
associates
associate
discovers a breach of unsecured PHI.
IX. Documentation
The Group Health Plan's security policies and procedures shall be documented, reviewed periodically, and updated as necessary in response to environmental or operational changes affecting the security of Group Health Plan ePHI, and any changes to policies or procedures will be documented promptly.
Except to the extent that they are carried out by the HR Employees or business associates, the Group Health Plan shall document certain actions, activities, and assessments with respect to ePHI required by HIPAA to be documented (including amendment of the Group Health Plan document in accordance with this policy, for example).
Policies, procedures, and other documentation controlled by the Group Health Plan may be maintained in either written or electronic form. The Group Health Plan will maintain such documentation for at least six years from the date of creation or the date last in effect, whichever is later.
The Group Health Plan will make its policies, procedures, and other documentation available to the Security Official and the Plan Sponsor,
the third-party administrators
Health Insurance Issuers,
and
other
business associates or other persons responsible for implementing the procedures to which the documentation pertains.
Document comparison by Workshare Professional on Thursday, February 09, 2012 9:02:46 AM
| Input: |
| Legend: |
| Insertion |
| Moved to |
| Style change |
| Format change |
| Inserted cell | |
| Deleted cell | |
| Moved cell | |
| Split/Merged cell | |
| Padding cell |
| Statistics: |
| Count | |
| Insertions | 58
|
| Deletions | 58
|
| Moved from | 0
|
| Moved to | 0
|
| Style change | 0
|
| Format changed | 0
|
| Total changes | 116
|
3583040.2
3583040.3
0053709- 00001 1