Policy No.

8-27-2019

Revised Date:

Introduction:

The following describes WSU Employee Wellness’s policy regarding audit controls.

Definitions:

Confidentiality: means that data or information is not made available or disclosed to unauthorized persons or processes. 

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media, but excludes individually identifiable health information in: (a) Education covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (b) records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (c) employment records held by WSU Employee Wellness in its role as employer.

Information system: means an interconnected set of information resources under the same direct management control that shares common functionality.  A system normally includes hardware, software, information, data, applications, communications and people.

Protected Health Information (“PHI”): means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

User: means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.

Policy:

WSU Employee Wellness shall record and examine activity in information systems that contain or use electronic protected health information (“PHI”) for the purposes of identifying suspect activity, identifying high-risk activity, identifying security breaches, responding to potential security weaknesses, and assessing WSU Employee Wellness’s security program.  WSU Employee Wellness, with assistance from its information technology provider, shall ensure that all computer systems that contain or access electronic PHI have in place audit controls for recording and examining activity. WSU Employee Wellness with assistance from its information technology provider shall configure any new computer system received by WSU Employee Wellness to record or examine activity on the system, if not already contained on the new system.  WSU Employee Wellness shall not bring this new system online until audit controls have been established.

WSU Employee Wellness shall implement software on WSU Employee Wellness’s  information systems (including applications or processes) containing or accessing electronic PHI that records system activity such as logon, logoff, file access, file activity, attempted logons, and failed logons concurrent with the system activity.  The implemented audit control mechanism shall identify: (a) who or what is accessing data; (b) when the data is accessed; (c) what data was accessed; (d) the activity that occurred (read only, add, delete, modify data); (e) whether data is accessed by anyone outside of WSU Employee Wellness; and (f) successful and unsuccessful login attempts.  The Security Officer shall review for any detected suspicious activity.

WSU Employee Wellness shall maintain audit trails showing system activity for a minimum of six (6) years.  The Security Officer shall be responsible for maintaining the audit trail information. Audit trail information and reports containing audit trails shall remain confidential.  The audit trail shall contain: (a) the type of event; (b) the User associated with the event; (c) the date the event occurred; (d) the method or program used to access the information system; and (e) the activities undertaken with respect to the data accessed.  The Security Officer shall review audit trails at least semi-annually. The Security Officer with assistance from Weber State University's information security provider shall be responsible for determining whether an external review is necessary for WSU Employee Wellness’s audit control system.