Policy No.

8-27-2019

Revised Date:

Introduction:

The following describes WSU Employee Wellness’s policy regarding workstation security.

Definitions:

Access: means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.  However, this definition only applies to the security standards for the protection of electronic PHI.

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media.

Encryption: means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

Facility: means the physical premises and the interior and exterior of a building(s).

Password: means confidential authentication information composed of a string of characters.

Protected Health Information: means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by [WSU Employee Wellness] in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

User: means a person with authorized access.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Workstation: means an electronic computing device, for example, a lap or desk computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.

Policy:

A. To the extent possible, the Security Officer shall locate non-portable workstations that access electronic PHI in areas restricted to authorized workforce members.  The Security Officer shall locate workstations that contain or access electronic PHI in areas that are continuously monitored by workforce members, where practicable.  Areas containing workstations, if possible, shall be securely locked when the workstation is unattended.  For workstations located in non-secure areas, users shall face the computer monitors away from public view in order to protect electronic PHI or other data from being observed where possible. Privacy screens will be used on all workstation screens. 

 

B. Portable computing devices, including laptop computers, personal digital assistants (PDAs), portable storage devices, etc., while at WSU Employee Wellness’s facilities, shall be locked up at the end of each workday.  Users shall secure portable computing devices when such devices are used outside of WSU Employee Wellness’s facilities.  If a user accesses electronic PHI from a portable computer device, the device shall be password-protected so that users must enter a password before access is granted.  The electronic PHI data on the portable computer device must be encrypted using Weber State University's approved digital encryption methodology.  When accessing electronic PHI from portable computing devices, users shall prevent the information from being viewed by others.

 

C. Workstations for use by workforce members or any workstations that are located in areas accessible by persons outside WSU Employee Wellness shall be secured with password-protected screensavers.  Workstations from which electronic PHI are accessible will have screen savers set to turn on following not more than ten (10) minutes of inactivity.  Users shall not be authorized to change this default setting.  The screensaver shall require users to enter their User ID and a password to gain access to the workstation.