Policy No.

8-27-2019

Revised Date:

Introduction:

The following describes WSU Employee Wellness’s policy regarding workforce security.

Definitions:

Access: means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.  However, this definition only applies to the security standards for the protection of electronic PHI.

Confidentiality: means that data or information is not made available or disclosed to unauthorized persons or processes.

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media.

Integrity: means that the data or information has not been altered or destroyed in an unauthorized manner.

Password: means confidential authentication information composed of a string of characters.

Protected Health Information: means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Policy:

WSU Employee Wellness shall protect the confidentiality and integrity of electronic protected health information (“PHI”).  WSU Employee Wellness shall only permit workforce members to gain access to electronic PHI that they are properly authorized to access.  WSU Employee Wellness shall train its workforce members on proper and appropriate use of access rights.

 

A. Authorization and/or Supervision

WSU Employee Wellness will take reasonable and appropriate steps to ensure that workforce members who have the ability to access electronic PHI or work in areas where electronic PHI might be accessed shall be properly authorized and/or supervised.  Workforce members shall not be allowed access to electronic PHI or to areas where electronic PHI might be accessed until proper authorization is granted.  WSU Employee Wellness will limit workforce members’ access to electronic PHI and areas where electronic PHI might be accessed to the minimum necessary to perform their specific function.  WSU Employee Wellness will establish a documented process for granting authorization and access to electronic PHI, including: (1) procedures for granting different levels of access to electronic PHI and to areas where electronic PHI might be accessed; and (2) procedures for logging and tracking authorization of workforce members’ access to electronic PHI and to areas where electronic PHI might be accessed.  WSU Employee Wellness will review authorization of access to electronic PHI, areas where electronic PHI might be accessed, and access levels, on a periodic basis and make revisions as necessary. 

 

B. Workforce Clearance Procedure

WSU Employee Wellness is committed to taking reasonable and appropriate steps to ensure that workforce members have the appropriate authorization to access electronic PHI.  WSU Employee Wellness shall review prospective workforce members’ backgrounds during the interview process and, as appropriate, shall perform verification checks on prospective workforce members.  Verification checks may include: (1) confirmation of claimed academic and professional experience and qualifications; (2) professional license validation; (3) credit check; and (4) criminal background check.  Workforce members who access electronic PHI will sign confidentiality agreements in which they agree not to provide electronic PHI to or to discuss confidential information with unauthorized persons.  WSU Employee Wellness will retain such signed confidentiality agreements. 

 

C. Termination Procedures

The Security Officer shall perform the following procedures for terminating access to electronic PHI when the retention of a workforce member ends: 

1. Ensure that such workforce member no longer has access to sensitive areas containing electronic PHI (such as computer equipment storage facilities, data centers, communication closets and medical records storage facilities) upon the termination of such workforce member.

 

2. Remove such person’s name from its list of authorized workforce members and shall file any information regarding such person with the records of other terminated workforce members.

 

3. Recover all keys, identification cards, physical tokens, and any other objects that facilitate physical access to property, buildings, and equipment.  The Security Officer shall change the locks and/or combinations that control physical access to areas and equipment on an as-needed basis.

 

4. Recover any confidential information and any of WSU Employee Wellness’s property in the workforce member’s possession.  WSU Employee Wellness may require the terminated workforce member to be escorted while such terminated workforce member packs such terminated workforce member’s belongings and as such terminated workforce member leaves the premises.

 

5. Deactivate user identification numbers, passwords and other electronic access codes upon the termination of such workforce member.