PHI Protection Standard

Standard Number: 1.11.2.3.4
Category: Information Security
Owner: Information Technology Services
Effective: August 1, 2022
Revision History: None
Review Date: July 31, 2025

1. PURPOSE, SCOPE AND RESPONSIBILITIES

   1. Pursuant to the HIPAA Hybrid Entity Designation Policy, all named University Health Care Components (“UHCC”) must implement the appropriate safeguards to ensure the protection of protected health information (“PHI”) pursuant to HIPAA.
   2. The purpose of this Standard is to identify the Administrative, Physical, and Technical Safeguards that the University has implemented, and UHCC Workforce members must follow to ensure the protection of PHI.
   3. The Chief Information Officer, supported by the Chief Information Security Officer and the Vice President of Information Technology at the Health Sciences Center, is responsible for the implementation and enforcement of this Standard.
   4. UHCC Workforce are responsible for assessing the risk of incidental uses and disclosures of PHI under HIPAA.
   5. Information Technology Services, in conjunction with the Health Sciences Center Security Officer, is responsible for maintaining documentation directly linking HIPAA and other state/federal laws, guidelines, and responsibilities back to the required safeguards and approaches.
   6. The Health Sciences Center Privacy and Security Team is responsible for the following:
      1. Thoroughly investigating any alleged patient privacy violation or Security Incident related to PHI;
      2. Ensuring HIPAA training is completed for UHCC Workforce members; and,
      3. Maintaining a database of business associate agreements currently in effect with a UHCC and a third-party.
   7. Application Administrators are responsible for safeguarding information within the systems they administer that stores PHI, including implementing access control systems to prevent inappropriate disclosure and ensuring appropriate backup procedures are in place to prevent PHI from being lost.
   8. UHCC Senior Management are responsible for ensuring all Workforce members follow the requirements within this Standard and are trained and competent in the use of University Devices assigned to each Workforce member.
   9. All Workforce members with authorized access to PHI must follow the requirements outlined in this Standard. Failure to do so may result in loss of access to PHI.
   10. The Office of General Counsel is responsible for drafting and implementing any Business Associate Agreements between a UHCC and a business associate.

2. Administrative, Physical, and Technical Safeguards

   1. The Information Security Policy identifies the framework for how the University prevents, detects, contains, and corrects security violations.
      1. Risk assessments are conducted on all named UHCCs to ensure compliance with HIPAA. See HIPAA Hybrid Entity Designation Policy.
      2. Risk assessments identify circumstances or events with the potential to adversely impact the University (“Threats”) and the likelihood such a Threat would occur. See Risk Assessment Management Standard.
      3. All Technology Governance identifies possible sanctions as a result of violation. The HSC Privacy and Security Team will recommend appropriate corrective action regarding a UHCC Workforce member who violates any University Technology Governance associated with the protection of PHI, including reporting to the applicable professional licensing board, and to federal, state and local entities as appropriate; and,
      4. Annual HIPAA risk assessments review activity conducted by designated individuals authorized to audit logs, access reports, track security incident reports within University Information Systems that store PHI.
      5. The annual risk assessments conducted by the University will include both technical and nontechnical evaluation of the requirements identified within this Standard.
   2. The Chief Information Officer, supported by the Chief Information Security Officer, is responsible for the implementation and enforcement of University Technology Governance.
   3. A University Account is the Digital Identity of a Workforce member and is comprised of three attributes: Credentials (“WVU Login”), a unique ID number (“WVUID”), and an email address. University Accounts are unique to each individual and are generated pursuant to the Identity and Authentication Standard.
   4. University Devices that access and University Information Systems that store PHI must utilize Enterprise Directory Services for Authentication (“WVU Login”). The use of local accounts and/or Authentication that does not use WVU Login for University Systems that store PHI is strictly prohibited. See Identity and Access Management Policy and Identity and Authentication Standard.
      1. Established UHCC Workforce clearance procedures ensure that access of a Workforce member to ePHI is appropriate and based on predefined roles.
      2. WVU Login accounts are provisioned and de-provisioned pursuant to the Access Management Standard and the Employee Access Termination Procedure.
   5. The Protected Health Information Privacy Policy identifies requirements for access and disclosure of PHI at the University.
      1. The University does not have any health care clearinghouse functions that require isolated access.
      2. Additional system permissions granted to Workforce members within University Information Systems that store PHI are added/removed by Application Administrators as requested by UHCC management based on an individual requiring/no longer requiring such permission for their academic or employment duties. See Access Management Standard.
      3. UHCC management are responsible for reviewing Workforce access privileges within University Information Systems that store PHI and remove those individuals no longer requiring access twice a year pursuant to the HSC End User Responsibilities and Access Standard.
   6. The University ensures Workforce personnel secure University Data, including PHI, appropriately by providing awareness on cybersecurity risk management, data protections, and duty-specific training. See Information Security Policy.
      1. Both HIPAA training and Security Awareness training are provided by the HSC Privacy and Security Team.
      2. The Password Standard identifies requirements for password composition and password management, including changing the requirement to change WVU Login password annually, at minimum.
   7. Pursuant to the University-Owned Device Standard, all University Devices that access, collect, or store PHI must:
      1. Employ anti-virus software (e.g., Sophos), which is configured for automatic daily definition updating, automatic protection of all incoming files, and scheduled weekly drive scans. Notifications of infected systems are sent to the appropriate academic or administrative IT unit that supports the device. See University-Owned Device Standard;
      2. Lock after 15 minutes of idle activity;
      3. Be encrypted to secure PHI;
      4. Be returned to the appropriate academic or administrative IT support staff when no longer being used;
      5. Be sanitized pursuant to the Data Destruction and Media Sanitization Standard prior to reusing within the unit, transferring to another unit, or relinquishing to an electronics recycling vendor;
      6. Be maintained on an inventory of all University Devices that identifies the owner and criticality of the device; and,
      7. Storage of PHI on devices is prohibited, therefore local device drives are not backed up.
   8. Administrative rights on University Devices that access PHI will be granted only to HSC ITS personnel based on job requirements to:
      1. Maintain system integrity;
      2. Run software that requires administrative rights; or,
      3. Modify needed system settings.
   9. Workforce members must never be granted administrative rights to their University Devices. Temporary administrative rights may be granted to Workforce members based on an exception and review process.
   10. Unapproved personally-owned devices must never be used to directly access, store, or collect PHI.
   11. Cellular devices or removable media (e.g, USB device) must never be used to directly access, store, or collect PHI unless approved by HSC Privacy and Security Team.
   12. All known or perceived Computer Security Incidents involving PHI must be reported to the University for investigation via the Incident Report Form. The University will investigate and classify security incident pursuant to the Computer Security Incident Plan. See Computer Security Incident Response Policy.
   13. All University Information Systems that contain PHI must:
       1. Develop a Business Continuity Plan that identifies the following:
          1. Strategies or backup and recovery of data to restore system operations quickly and effectively;
          2. A formal Information System Contingency Plan that identifies how to train personnel, activate plan, lead system recovery, and reconstitute the system after a Disruption;
          3. A business impact analysis that identify continuity of critical business processes and recovery objectives; and,
          4. Emergency access procedures.
       2. Automatically log off sessions after no more than 15 minutes of inactivity and require reauthentication.
       3. Procedures for log-in monitoring. All University Information Systems that store PHI must automatically lock after eight (8) unsuccessful, consecutive logon attempts to deter attacks. See Password Standard.
       4. Mechanisms to audit controls, protect integrity of data, mechanisms to authenticate ePHI has not been altered or destroyed, is not improperly modified with detection until disposed of. See HSC Audit and Integrity Controls for PHI.
   14. The HSC secure email delivery server is configured with data loss prevention rules that prevent PHI from being sent unencrypted. Virtual desktop environments are also employed by the University to restrict the movement and storage of ePHI to only secure servers.
   15. HSCITS audits and monitors the secure mail delivery server and virtual desktop solutions via a SIEM tool.
   16. Physical access to University buildings is granted both mechanically and electronically pursuant to the HSC Physical Access and Control Standard and Physical Access Management Standard. See also Access Control Standard and Protocol.
       1. All University Data Centers that host information systems storing PHI must have an emergency preparedness plan in place to protect the assets within. See Data Center Security Standard.
       2. All University Data Centers that host information systems storing PHI must be physically secured by keeping entrance doors closed and locked 24/7, equipping doors with an electronic lock that requires both a card swipe and PIN, and securing key combinations. See Data Center Security Standard.
       3. Access to a University Data Center for Authorized Individuals and Visitors is facilitated as outlined within the University Data Center Security Standard. Data Center Coordinators are responsible for conducting an annual audit of physical logs and electronic lock systems to ensure unauthorized individuals do not have access a University Data Center. See also HSC Physical Access and Control Standard.
       4. All University Data Centers that host information systems storing PHI must have a maintenance standard or procedure implemented that identifies how repairs to the physical components within are maintained. See OWP Data Center Maintenance Standard and HSC Change Control Procedures.
   17. UHCCs must always consider Physical Safeguards of PHI when planning facility renovations or changes that may affect the physical layout of services provided to ensure continuity of patient privacy.
   18. All Workforce workstation areas must be physically secured by:
       1. Keeping a clean desk free from patient charts and/or other working documents;
       2. Locking University Devices when leaving desk, office, and/or work area;
       3. Orienting University Device and/or use privacy screens to prevent Unauthorized Individuals from viewing PHI;
       4. Using central PHI storage provided by the University for PHI and never downloading PHI onto a University Device; and,
       5. Never storing passwords in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access control systems, or in other locations where unauthorized persons might discover them
   19. PHI transported within a facility, including from one department to another, must always be attended or supervised or otherwise secured to avoid Unauthorized Access, loss, or tampering. PHI being accessed from or taken home to work during off-hours must first be approved by manager/director.
   20. PHI transported by motor vehicle must always be in a secure container and supervised. PHI must never be left in a vehicle, even a locked one.
   21. A secure lock box must be used to protect electronic devices containing PHI and paper records.
   22. All patient care forms, labels, addressograph chips, bracelets, and/or other documents must be shredded or destroyed. If the information cannot be shredded or destroyed, the PHI must be redacted.
   23. The University will enter into business associate agreements (“BAA”) with any business associate with whom a UHCC shares PHI or is permitted to create, receive, maintain, or transmit ePHI on behalf of a UHCC pursuant to the Business Associate Agreement Procedure. See HIPAA Hybrid Entity Designation Policy.
       1. The Office of General Counsel will implement a BAA with a business associate to obtain satisfactory assurances that the business associate will appropriately safeguard PHI in compliance with HIPAA.
       2. The HSC Privacy and Security Team will maintain documentation of all implemented BAAs.

3. Workforce Member Responsibilities

   1. UHCC Workforce members must:
      1. Complete HIPAA and cybersecurity training on an annual basis;
      2. Follow the password composition and password management requirements within the Password Standard, including changing their WVU Login password annually, at minimum.
      3. Utilize University Devices to access, store, create, or collect PHI or utilize an approved remote access solution pursuant to the Remote Access Standard;
      4. Return University Devices to their academic or administrative IT support unit when the device is no longer needed;
      5. Report any known or perceived Computer Security Incidents involving PHI to the University for investigation via the Incident Report Form. See Computer Security Incident Response Policy;
      6. Secure their workstations appropriately;
      7. Use secure, central storage for PHI. Use of external file sharing/storage applications/sites (e.g., OneDrive, DropBox, FolderShare, iCloud) to share or store PHI is strictly prohibited;
      8. Never download PHI or store onto a University Device or share PHI between individual desktop computers;
      9. Utilize only authorized University solutions to access PHI remotely. See Remote Access Standard;
      10. Secure PHI accessed remotely from Unauthorized Access or viewing;
      11. Log out of University Information Systems immediately after use, especially when accessing the system remotely;
      12. Avoid transporting PHI unless essential; and,
      13. Abide by reasonable restrictions on communications requested by patients.
   2. When discussing PHI in verbal form Workforce members must:
      1. Use discretion when conducting phone conversations with patients while others are within earshot;
      2. Conduct routine discussions among clinicians (e.g., shift change, rounds) in a private area where patients or Unauthorized Individuals cannot overhear;
      3. Use a low voice when communicating with patients in places where the conversation might be overheard, or alternatively, maintain a space for private patient conferences;
      4. Confirm that patient is comfortable discussing information in front of visitors; and/or,
      5. Refrain from discussions whose context would allow a listener to identify the patient in question.

4. DEFINITIONS

   1. “Administrative Safeguards” means the actions and policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic PHI and manage the conduct of UHCC Workforce members.
   2. “Application Administrators” means local system administrators of a University Information System.
   3. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System.
   4. “Computer Security Incident” means a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of Incidents include an attacker commanding a botnet to send high volumes of connection requests to a web server, causing it to crash; users tricked into opening a ‘quarterly report’ sent via email that is actually malware; an attacker obtaining sensitive data and threatening that the details be released publicly if the organization does not pay a designated sum of money; or, a user providing or exposing sensitive information to others through peer-to-peer file sharing services.
   5. “Incidental Use or Disclosure” means the inadvertent, unauthorized disclosure of PHI, which occurs as an incident to a permitted disclosure of PHI.
   6. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and all other regulations promulgated thereunder
   7. “Physical Safeguards” means the physical measures, policies, and procedures to protect UHCC’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
   8. “Reasonable Safeguards” means policies, protocols, physical arrangements, and other feasible measures taken to lower the risk of inadvertent, unauthorized disclosures of PHI. Administrative and financial considerations may be taken into consideration in assessing the reasonableness of a safeguarding strategy.
   9. “Technical Safeguards” means the technology and the policy and procedures for its use that protect electronic health information and control access to it.
   10. “Transport” means to physical move PHI, whether on paper, on encrypted mobile digital devices, or encrypted electronic storage devices (e.g., laptop, smartphone, USB/thumb drive, disk) from one location to another by any means (e.g., foot, motor vehicle, courier, airplane).
   11. “University Device” means any laptop, computer, notebook, tablet, and smartphone owned by the University that is used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
   12. “University Information System” means an information system that is on the campus network, requires Authentication, and is used to support the academic, administrative, research, and/or outreach activities of the University.
   13. “Workforce” means any employee, student, volunteer, trainee, or other person whose conduct in the performance of work for a UHCC is under the direct control of a UHCC, whether or not the Workforce member is paid by the UHCC or not.

5. Related Documents

   1. Protected Health Information Privacy Policy
   2. Acceptable Use of Data and University Technology Resources
   3. Sensitive Data Policy
   4. Sensitive Data Protection Standard
   5. Password Standard
   6. University-Owned Device Standard
   7. Access Control Standard and Protocols
   8. Access Management Standard
   9. Employee Access Termination Procedure
   10. Computer Security Incident Response Policy
   11. HSC Audit and Integrity Controls for PHI (requires WVU Login to access)
   12. Business Associate Agreement Procedure (requires WVU Login to access)