Policy No.

8-27-2019

Revised Date:

Introduction:

The following describes WSU Employee Wellness’s policy regarding device and media controls.

Definitions:

Confidentiality: means that data or information is not made available or disclosed to unauthorized persons or processes.

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media.

Electronic Media: means electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk or digital memory card or transmission media used to exchange information already in electronic storage media.  Transmission media includes the internet, extranet, leased lines, dial-up lines, private networks and the physical movement of removable/transportable electronic storage media.  Certain transmissions including of paper via facsimile and of voice via telephone are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic format before transmission.

Facility: means the physical premises and the interior and exterior of a building(s).

Integrity: means that the data or information has not been altered or destroyed in an unauthorized manner.

Password: means confidential authentication information composed of a string of characters.

Protected Health Information: means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

User: means a person or entity with authorized access.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Policy:

WSU Employee Wellness oversees the receipt and removal of hardware and electronic media that contain electronic protected health information (“PHI”) into and out of WSU Employee Wellness’s facilities and within WSU Employee Wellness’s facilities.  Upon receipt of hardware or electronic media containing electronic PHI from outside entities or persons, the workforce member, who received the hardware or electronic media, shall log: (a) a description of the hardware (including the serial number) or type of media; (b) from whom it was received; (c) the person(s) to whom the electronic PHI pertains; (d) the reason for receiving it; and (e) the date of receipt.  If the hardware or electronic media containing PHI is subsequently returned to the person or entity who initially gave it to WSU Employee Wellness, the date of return, to whom it was returned and the person returning it also shall be recorded in the log.

 

Workforce members shall not remove any hardware or electronic media containing electronic PHI nor download electronic PHI from WSU Employee Wellness’s facilities to any computer, device, or network that is not located in WSU Employee Wellness’s facilities without the approval of the Security Officer.  Such approval shall only be granted if the hardware, electronic media or downloaded electronic PHI is necessary for the performance of a job-related function on WSU Employee Wellness’s behalf.  Workforce members shall return the hardware or electronic media or erase the downloaded electronic PHI when the job function is completed.  Authorized workforce members may remove from WSU Employee Wellness’s facilities personal portable computing devices (notebook or laptop computers, pocket computers, personal digital assistant devices (PDAs) or other similar computing devices) that contain or are capable of accessing electronic PHI.  The portable computing device shall be password-protected, requiring that the workforce member enter a password before accessing any electronic PHI.  The electronic PHI on portable computing devices shall be encrypted.  The workforce member shall be responsible for the security of the device and protecting the confidentiality of any electronic PHI.  Workforce members shall promptly report the loss or theft of any hardware, electronic media, or any electronic PHI data stored on the hardware or electronic media to the Security Officer.

 

A. Disposal

Electronic PHI subject to final disposition by WSU Employee Wellness shall be disposed of by using a method that ensures the PHI cannot be recovered or reconstructed.  WSU Employee Wellness shall ensure that a retrievable back-up copy is made before submitting hardware or electronic media for disposal of electronic PHI if it contains the only copy of the electronic PHI that is required or needed by WSU Employee Wellness.

1. The Security Officer shall be responsible for the final disposal of hardware that contains electronic PHI or the final disposal of electronic PHI on hardware using the following methods: (1) if WSU Employee Wellness is deleting the electronic PHI but not the hardware, all electronic PHI will be removed from the hardware using initialization utilities installed on such hardware that are designed to permanently remove data from memory locations; (2) if all data is being removed from the hardware - reformat and overwrite memory locations using an appropriate overwriting program or degauss the hardware if practical and appropriate; and (3) maintain a log of such data destruction that lists the device, the date of destruction, the workforce member authorizing the destruction, general description of the PHI (if available), and the identity of the workforce member performing the destruction.

2. All electronic PHI will be removed from hardware being sold, replaced, or destroyed so that it cannot be recovered or reconstructed using appropriate disposal techniques by using one of the following techniques: (1) using appropriate initialization utilities installed on the hardware that are designed to permanently remove data from memory locations; (2) running an overwriting program on such hardware that overwrites all memory locations; or (3) degaussing any hardware to the extent practical and appropriate.  A log of such data destruction will be kept that lists the device, the date of destruction, the workforce member authorizing the destruction, general description of the PHI (if available), the identity of the workforce member performing the destruction and the disposition of the device. 

3. Users may erase any electronic PHI contained on electronic media.  However, any media containing electronic PHI to be disposed of on a final basis by WSU Employee Wellness shall be submitted to  Weber State University's information technology provider for deletion.  Weber State University's information technology provider shall delete electronic PHI stored on electronic media using utilities that are designed to permanently remove data from memory locations.  Weber State University's information technology provider shall destroy all data on electronic media intended to be re-used, sold, replaced or destroyed using appropriate disposal techniques by using one of the following techniques: (1) degaussing computer tapes and diskettes to prevent recovery of electronic PHI; (2) reformatting the electronic media and overwriting the memory locations; (3) overwriting data with a series of characters; or (4) if the electronic media is not to be re-used, physically damaging the media to the level that the media is no longer usable and data cannot be retrieved from the media.  Weber State University's information technology provider shall maintain a log of such data destruction that lists the device, the date of destruction, the workforce member authorizing the destruction, general description of the electronic PHI (if available), and the identity of the workforce member performing the destruction. 

 

B. Media Re-Use

Media shall not be re-used for any purpose other than storing other electronic PHI unless all electronic PHI has been removed from the media before such re-use.  However, if the media is re-used as part of WSU Employee Wellness’s data back-up procedures or disaster recovery, such media shall not be subjected to these procedures before each re-use.  Users shall not re-use CDs, diskettes or other electronic media on which electronic PHI has been stored for any purpose, other than storing other electronic PHI, unless the electronic PHI is removed by Weber State University's information technology provider using one of the following methods: (1) degaussing computer tapes and diskettes to prevent recovery of electronic PHI; (2) reformatting the electronic media and overwriting the memory locations; or (3) overwriting data with a series of characters.

 

C. Workforce Member Data Back-Up and Storage 

WSU Employee Wellness shall create a retrievable, exact copy of electronic PHI, when needed, before equipment is moved.  WSU Employee Wellness shall back up all files containing electronic PHI to a computer, tape, CD Rom, disk, or other storage media before equipment is moved within WSU Employee Wellness.  A WSU Employee Wellness-approved backup software application’s reporting utilities will be used to validate the accuracy, completeness and integrity of the back-up.  The backed-up data shall be stored in a secure area until it is placed on different equipment or restored to the original equipment from which it was removed.