Encryption and Decryption (A) – a mechanism to encrypt and decrypt ePHI will be implemented.

Benefits Personnel

11.1.4 Encryption and Decryption (A) – a mechanism to encrypt and decrypt ePHI will be implemented.

PROCEDURES:

11.1.1 Unique User Identification

All Workforce members are assigned unique User Identification names or numbers that enable Visa’s Information System to identify, authenticate and track User identity.

Access control lists containing the records of such unique User IDs are updated within 24 hours when access privileges are terminated or changed

11.1.2 Emergency Access Procedure

Temporary access to the Plans’ Information Systems and/or ePHI is provided in the event of emergencies. The Plans’ contingency plan (see also the policies and procedures set forth under Contingency Plan standard in the Administrative Safeguards section) sets forth the Plans’ emergency access procedures.

11.1.3 Automatic Logoff (A)

The Plans have determined that the following automatic logoff/lock-out procedures are sufficient to meet the Plans’ Security needs:

11.1 Access Control © Towers Watson 2010

(a) Password protected screen saver implemented after thirty (30) minutes inactivity. The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices.

11.1.4 Encryption and Decryption (A)

Alternative #1:

The Plans have determined that Encryption and decryption generally are not required for the electronic maintenance of ePHI as it may be used by the Plans in the Plans’ day-to-day activities. Access to such ePHI is restricted to those Workforce members who require it to perform their job functions. Numerous other safeguards are also in place to protect ePHI as described in this Manual.

At the present time, due to the limited risk of inappropriate Use or Disclosure of ePHI and the limited technological capability of the Plans to encrypt and decrypt ePHI in storage for its operating systems and storage platforms, the Plans have determined that the Plans’ policy will not be to encrypt ePHI in storage. The alternate controls described in this Manual have been determined to be reasonable and appropriate to mitigate the risk to ePHI.

The Security Officer may nevertheless authorize or mandate the use of Encryption and decryption on an as needed basis as may be appropriate given the nature of the information stored and the potential risks posed.

The Plans have determined that the current corporate wide policies are sufficient to meet this aspect of the Security Rule. Therefore, no additional procedures will be implemented and the Plans will rely on current practices.

Alternative #2:

The Plans have determined that Encryption and decryption are required for the electronic maintenance of ePHI as it may be used by the Plans in the Plans’ day-to-day activities and as it is stored. The Plans’ policy is to encrypt all ePHI.

Technical Safeguards

TOPIC: Audit Controls

SUBJECT: Recording and examining activity in Information Systems that contain or use ePHI.

EFFECTIVE DATE: April 21, 2005

REVISION DATES: February 17, 2010

POLICY STATEMENT:

The Plans will implement hardware, software, and/or procedural mechanisms that record and examine activity in Information Systems that contain or use ePHI.

PROCEDURES:

The Plans are required to implement mechanisms that record and examine activity in

Information Systems that contain or use ePHI. The Plans maintain the following audit controls:

(a) Audit logs;

(b) Access reports;

(d) Other internal Security controls and monitoring tools.

All activities that alter applications containing ePHI are tracked using one or more of the above audit controls. Additional change management procedures may be utilized when necessary. Additionally, changes to, or activities altering ePHI in systems or applications (such as creates, reads, updates or deletes) may be reviewed or tracked by the Plans. Such activity records may consist of any of the following elements:

(a) The type of activity performed;

(b) The date and time or access or alteration;

(c) The unique User ID of the person performing the activity; and/or (d) The identifier of the record being accessed or altered.

11.2 Integrity © Towers Watson 2010

TOPIC: Integrity

SUBJECT: Protecting ePHI from improper alteration or destruction.

EFFECTIVE DATE: April 21, 2005

REVISION DATES: February 17, 2010

POLICY STATEMENT:

All ePHI maintained in the Plans’ Information Systems is protected from improper alteration or destruction. The Plans have considered the risk and potential for improper alteration or destruction of ePHI maintained in its systems and has determined that the policies and procedures set forth herein are reasonable and sufficient to ensure the Integrity of the ePHI. These policies will include addressing the following HIPAA Implementation Specification:

11.3.1 Mechanism to Authenticate ePHI (A) – electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner will be

implemented.

PROCEDURES:

All approved Users with the ability to alter or destroy data have been identified as have been scenarios that may result in modification to the ePHI by unauthorized sources (e.g., hackers, disgruntled employees, business competitors).

11.3.1 Mechanism to Authenticate ePHI (A)

The Plans’ policies to protect ePHI from improper alteration or destruction include the following:

(a) Full backup of all data directories , files and software are performed over the weekend

(b) Incremental backup only data that has changed since the last backup; typically performed daily

(d) Database backups are typically created daily utilizing specialized software processes

(e) Manual audit controls including quarterly access list review and periodic system and security reviews by internal audit

11.3

Person or Entity Authentication © Towers Watson 2010

Technical Safeguards

TOPIC: Person or Entity Authentication

SUBJECT: Verifying that a person or entity seeking access to ePHI is the one claimed.

EFFECTIVE DATE: April 21, 2005

REVISION DATES: February 17, 2010

POLICY STATEMENT:

The Plans have implemented reasonable procedures to verify that a person or entity seeking access to ePHI is the one claimed.

PROCEDURES:

Unique User IDs are assigned to all members of the Workforce. That User ID, in conjunction with an Individually selected Password is required to logon to the Plans’ Information Systems. Workforce members are required to follow the Plans’ Password management policies and procedures (see also the Password Management policies and procedures set forth under Security Awareness and Training standard in the Administrative Safeguards section) to create and safeguard their User ID and Passwords to prevent unauthorized access to the Plans’ Information System.

Workforce members may not share their logon ID or Password. Workforce members may not misrepresent themselves to the Plans’ Information System by using another person’s unique User ID.

11.5

Unauthorized Access © Towers Watson 2010

TOPIC: Transmission Security

SUBJECT: Technical Security measures to guard against unauthorized access to ePHI that is transmitted over an electronic communications network.

EFFECTIVE DATE: April 21, 2005

REVISION DATES: September 23, 2009

POLICY STATEMENT:

The Plans have implemented technical Security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. These policies will include addressing the following HIPAA Implementation Specifications:

11.5.1 Integrity Controls (A) – Security measures to ensure that electronically

transmitted ePHI is not improperly modified without detection until disposed of will be implemented.

11.5.2 Encryption (A) – a mechanism to encrypt ePHI whenever deemed appropriate will be implemented.

PROCEDURES:

ePHI has been classified by the Plans as high risk information and should not be transmitted electronically unless reasonable methods have been taken to protect its Security. Only authorized Individuals may transmit ePHI. If ePHI is transmitted via e-mail communications, only the minimum amount of PHI needed to achieve the purpose of the communication is allowed to be transmitted. This should be determined in accordance with the Plans’ Minimum Use of PHI policy contained in Section 6.1 of the Plans’ HIPAA Privacy Policies.

When transmitting PHI via e-mail communications, the following Statement (or its equivalent) should be included:

“This e-mail message and all attachments transmitted with it are intended solely for the use of the addressee and may contain legally privileged and confidential information. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination,

distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer.”

11.5.1 Integrity Controls (A)

Methods of enabling secure transmissions and data Integrity during transmission include the following:

11.5

Technical Safeguards

11.5

(a) Digital Certificates to transit data securely

(b) Obtain vendor transmission through vendor secure website which requires the benefits department employee to utilize a username and password

Workforce members should limit the exchange of ePHI via e-mail. Archival storage of e-mails containing ePHI is permissible, but discouraged. E-mail containing ePHI should be deleted following the disposition of the issues to which they relate. If, however, the information must be retained beyond the disposition of the issue(s), the information should be stored in secured folders with limited access.

11.5.2 Encryption (A)

Alternative #1:

Although Encryption is not generally required for the electronic transmittal of ePHI that may be used by the Plans, if it is determined by the Security Officer that Encryption is required in a given circumstance, an Encryption method will be coordinated with the recipient of e-mail communications containing PHI.

Alternative #2:

Encryption is required for the electronic transmittal of ePHI that may be used by the Plans. An Encryption method will be coordinated with the recipient of e-mail communications containing PHI.

TOPIC: Breach of Unsecured PHI

SUBJECT: Notification to Individuals, the Media and the Secretary.

EFFECTIVE DATE: September 23, 2009

In document Visa Inc. HIPAA Privacy and Security Policies and Procedures (Page 82-89)