|Policy No.||8-27-2019||Revised Date:|
The following describes WSU Employee Wellness’s policy regarding information system activity review.
Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media.
Protected Health Information (“PHI”): means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media. IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse. Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.
Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.
WSU Employee Wellness will take reasonable and appropriate steps to ensure that its information systems have the appropriate hardware, software, or procedural auditing mechanisms installed on them to enable review of information system activity on a periodic basis. WSU Employee Wellness’] risk analysis shall determine the level and type of auditing mechanisms that will be implemented on its information system. The types of auditing mechanisms may include: (a) failed authentication attempts; (b) use of audit software programs or utilities; (c) access of particularly designated electronic protected health information (“PHI”); (d) information system start-up or shutdown; (e) use of privileged accounts; or (f) security incidents. The auditing mechanisms will report when possible: (a) the date and time of activity; (b) a description of attempted or completed activity; (c) an identification of user performing activity; and (d) the origin of activity (e.g., I/P address, workstation ID).
The Security Officer, and if necessary, Weber State University’s information technology provider, will review such reports on a periodic basis. Weber State University’s information technology provider shall work with the Privacy Officer in reviewing the reports. The Security Officer will consider the following when determining how often to review such reports: (a) the merit or sensitivity of the electronic PHI on the information system; (b) the importance of the applications operating on the information system; (c) the degree to which the information system is connected to other information systems; and (d) the degree to which that connection poses a risk to the electronic PHI.
The Security Officer’s review will include: (a) definition of what activity is significant; (b) procedures for defining how significant activity will be identified and, if appropriate, reported; (c) procedures for maintaining the integrity of records of significant activity; (d) identification of which workforce members will review records of activity; and (e) definition of which activity records need to be archived and for what duration.