Safeguards

Op10.03-21 Safeguards

Complies with the Administrative Requirements of the Health Insurance Portability and Accountability Act of 1996. 45 CFR Section 164.530

Policy

The Employee Benefit Plan has implemented administrative, technical, and physical safeguards to provide reasonable protection of Protected Health Information ("PHI") from any intentional or unintentional use or disclosure in violation of the Privacy Rule.

Procedure

  • Workforce members receive training and retraining as necessary regarding the Privacy Rule and the Employee Benefit Plan’s privacy policies and procedures. The training includes security awareness training.
  • Workforce members violating the Employee Benefit Plan’s privacy policies are sanctioned.
  • Workforce members authenticate the identification of individuals prior to permitting access to PHI or privileged information system functions. Authentication includes one or more of the following:
    • The individual provides two forms of self-identifying information (e.g. social security number, BearPass Card, birth date, hire date) and these match the information stored in the Missouri State University payroll system;
    • Responding by written request to the individual’s home address, work address, or email address and the address appears on a Missouri State University personnel screen; or
    • The individual provides documentation that they are the authorized personal representative of the participant.
  • The procedures for access to systems that store or transmit PHI provide for:
    • Use of a unique user/system identifier, and
    • Password.
  • Workforce members have access to systems storing or transmitting PHI have either role-based or user-based access. Access is removed (or changed as appropriate) when the individual terminates his/her position, is no longer in a position or role requiring access or no longer requires use of PHI in the performance of their job. Audit trails are created where applicable and monitored.
  • The Employee Benefit Plan’s system procedures provide for the restoration of data and software in case of a natural or man-made disaster, continuation of operations in the aftermath of a disaster, development of a contingency plan and a data backup plan, control and document the movement of equipment associated with information systems, guard against unauthorized entry and/or tampering, maintain records of repairs, and restrict entry and testing to authorized personnel.
  • Physical access to electronic or paper PHI is restricted to authorized personnel and maintained in secure areas.
  • The Employee Benefit Plan has taken reasonable measures to secure workstations including the physical environment around workstations to ensure the security of the PHI.

Effective Date: April 14, 2003