DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Similar documents
HIPAA Compliance Guide

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

1 Security 101 for Covered Entities

ARE YOU HIP WITH HIPAA?

Managing Information Privacy & Security in Healthcare. The HIPAA Security Rule in Plain English 1. By Kristen Sostrom and Jeff Collmann Ph.

March 1. HIPAA Privacy Policy

* Corporation General Partnership Limited Partnership LLC Sole Proprietorship Non Profit Other Accounts Payable: Name

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Interpreters Associates Inc. Division of Intérpretes Brasil

HIPAA Security. ible. isions. Requirements, and their implementation. reader has

H 7789 S T A T E O F R H O D E I S L A N D

HIPAA COMPLIANCE PLAN FOR OHIO EYE ASSOCIATES, INC.

2016 Business Associate Workforce Member HIPAA Training Handbook

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

March 1. HIPAA Privacy Policy. This document includes: HIPAA Privacy Policy Statement, HIPAA Manual and HIPAA Forms

HIPAA Privacy, Breach, & Security Rules

Plan Document: Appendix B

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Privacy & Security. Transportation Providers 2017

SECURITY POLICY 1. Security of Services. 2. Subscriber Security Administration. User Clearance User Authorization User Access Limitations

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

Credit Card Handling Security Standards

Terms used, but not otherwise defined, in this Addendum shall have the same meaning as those terms in 45 CFR and

BUSINESS ASSOCIATE AGREEMENT

PRIVACY AND SECURITY GUIDELINES

HIPAA Basic Training for Health & Welfare Plan Administrators

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

University of California Group Health and Welfare Benefit Plans HIPAA Privacy Rule Policies and Procedures (Interim)

HIPAA PRIVACY RULE POLICIES AND PROCEDURES

Meaningful Use Requirement for HIPAA Security Risk Assessment

Business Associate Agreement

PART 160_GENERAL ADMINISTRATIVE REQUIREMENTS--Table of Contents. Except as otherwise provided, the following definitions apply to this subchapter:

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Business Associate Agreement

Record Management & Retention Policy

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA The Health Insurance Portability and Accountability Act of 1996

Effective Date: 4/3/17

HIPAA & The Medical Practice

HIPAA Service Description

BUSINESS ASSOCIATE AGREEMENT

COVERED TRANSACTION means a Transaction for which the Secretary has adopted a standard under HIPAA.

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

Preparing for the HIPAA Security Rules

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

ARTICLE 1. Terms { ;1}

South Carolina General Assembly 122nd Session,

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

HIPAA and Lawyers: Your stakes have just been raised

Subject: Protecting cardholder data in support of the Payment Card Industry (PCI) Data Security Standards

Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service)

PLAN SPONSOR CERTIFICATION TO THE GROUP HEALTH PLAN

Partnership & Corporation Professional Liability Application

University of Wisconsin Milwaukee

COVERED ENTITY CHARTS

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

INFORMATION AND CYBER SECURITY POLICY V1.1

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

Limited Data Set Data Use Agreement For Research

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

NAPBS BACKGROUND SCREENING AGENCY ACCREDITATION PROGRAM ACCREDITATION STANDARD AND AUDIT CRITERIA Version 2.0. Potential Verification for Onsite Audit

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA vs. GDPR vs. NYDFS - the New Compliance Frontier. March 22, 2018

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

RECITALS. WHEREAS, this Amendment incorporates the various amendments, technical and conforming changes to HIPAA implemented by the Final Rule; and

Data Processing Appendix

ON24 DATA PROCESSING ADDENDUM

EGYPTIAN ELECTRIC COOPERATIVE ASSOCIATION POLICY BULLETIN NO. 214A

BUSINESS ASSOCIATE AGREEMENT

HIPAA Definitions.

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

BUSINESS ASSOCIATE AGREEMENT

HIPAA Background and History

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT WITH THE DOCTORS CLINIC, PART OF FRANCISCAN MEDICAL GROUP

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

Partners Health Plan, NY Provider Electronic Transaction Enrollment Packet

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

HIPAA BUSINESS ASSOCIATE ADDENDUM

"HIPAA RULES AND COMPLIANCE"

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Flexible Benefits Plans

HIPAA COMPLIANCE. for Small & Mid-Size Practices

University Data Policies

Polson/ Ronan Ambulance Service Identity Theft Prevention Program

Transcription:

DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)

Delhaize America, LLC Pharmacies and Welfare Benefit Plan 2013 Health Information Security and Procedures (As amended and restated effective September 1, 2016)

ARTICLE I INTRODUCTION AND PURPOSE Delhaize America, LLC ( Delhaize ) adopts this Health Information Security and Procedures (the Security ), as amended and restated effective September 1, 2016, on behalf of the Pharmacies operated by Food Lion, LLC and Hannaford Bros. Co., LLC and the Health Care Benefit Options that are offered under the Plan to eligible employees and retirees of Delhaize and other Participating Employers, the purpose of which is to comply with the written policy requirement of the Security Standards for the Protection of Electronic Protected Health Information contained in 45 C.F.R. Parts 160, 162 and 164 (the Security Standards ), as amended to reflect the Health Information Technology for Economic and Clinical Health Act ( HITECH ), and as otherwise amended from time to time. The Security provides policies and procedures implemented by the Pharmacies and the Health Care Benefit Options, which are Covered Entities, to comply with the standards, implementation specifications and other requirements of the Security Standards. This Security is intended to underscore the security requirements that are specific to the Security Standards and HITECH, while also aligning with Delhaize's Information Security policies and standards, which address in detail the topics of information security management; information access management; asset management; information classification and handling; personnel security; access control; physical security; communications and data protection management; security operations; monitoring and response; application security; legal, privacy and regulatory compliance; and acceptable use. The Security Standards require the Pharmacies and Health Care Benefit Options to do the following: ensure the confidentiality, integrity and availability of all Electronic Protected Health Information created, received, maintained or transmitted for a pharmacy or group health plan; protect against any reasonable or anticipated threats or hazards to the security or integrity of such Electronic Protected Health Information; protect against any reasonably anticipated uses or disclosures of Electronic Protected Health Information that are not permitted or required under the Privacy Standards; and ensure employees of Delhaize or any other Participating Employer complies with the requirements of the Security Standards. The Security shall be administered by the Vice President of Pharmacy, the Plan Administrator and the Chief Information Security Officer (CISO), who serves as the designated HIPAA Security Official. The Vice President of Pharmacy, the Plan Administrator and the CISO shall have complete and absolute power, authority and discretion to determine all matters with the respect to the administration of the Security and to implement and carry out the provisions herein, including, but not limited to, the determination and interpretation of all provisions of the Security and modification of the Security from time to time as necessary to comply with any changes in applicable law, including the Security Standards. PAGE 1

ARTICLE II ELECTRONIC PROTECTED HEALTH INFORMATION Section 2.3 Application of Security. The Security applies to the Pharmacies and the Health Care Benefit Options that are subject to the Privacy Standards and create, receive, maintain or transmit Electronic Protected Health Information (also referred to herein as E-PHI ). Section 2.2 Scope of Electronic Protected Health Information. Electronic Protected Health Information is Protected Health Information that is maintained or transmitted in Electronic Media. Electronic media means media described in each of (a) and (b) below: (a) Electronic storage media on which data is or may be recorded electronically, including devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (b) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, of the information being exchanged did not exist in electronic form immediately before the transmission. Section 2.3 Systems for Electronic Protected Health Information. Electronic Protected Health Information for any Pharmacy or Health Care Benefit Options is accessed, created, received, maintained or transmitted in and through the information technology system (or systems) that services and supports the business operations and systems of Delhaize or other Participating Employer. The structure and operation of the information technology systems are controlled by personnel from the Delhaize America IT Department and the Information Security Organization (ISO) and are subject to the security policies, procedures and standards developed and maintained by the ISO. Where appropriate, the requirements of the Security may be coordinated and/or implemented through such policies, procedures and standards. ARTICLE III DEFINITIONS Whenever used in this Security, the following words and phrases shall have the respective meanings stated below unless a different meaning is plainly required by the context, and where the defined meaning is intended, the term is capitalized. Capitalized terms not defined herein shall have the meaning attributed to such terms under the Privacy Standards, the Security Standards or the Plan, as applicable. Section 3.1 Business Associate A "Business Associate" means any person or entity who, other than in the capacity of a member of the workforce of the Pharmacies or Health Care Benefit Options, (a) creates, receives, maintains or transmits Protected Health Information on behalf of the Pharmacies and/or Health Care Benefit Options, involving the Use or Disclosure of Individually Identifiable Health Information as more specifically identified in the Privacy Standards, or (b) provides services to the Pharmacies and/or Health Care Benefit Options where the provision of the service involves the Use or Disclosure of Protected Health Information to the person. Examples of functions or services performed by Business Associates include the following: Claims processing or administration, data analysis, utilization review, PAGE 2

quality assurance, benefit management, legal, actuarial, accounting, consulting, data aggregation, management, financial and administrative services provided to or for the Pharmacies and Health Care Benefit Options. A Business Associate includes any person that provides data transmission services for Protected Health Information to the Pharmacies and Health Care Benefit Options on a routine basis. Section 3.2 Delhaize "Delhaize" means Delhaize America, LLC, its affiliates and any successor to such entity whether by merger, consolidation, liquidation or otherwise. Section 3.3 Effective Date "Effective Date" means September 23, 2013. Section 3.4 Electronic Media "Electronic Media" has the meaning set forth in Section 2.2 hereof. Section 3.5 Electronic Protected Health Information (or E-PHI) "Electronic Protected Health Information" or "E-PHI" means Protected Health Information that is maintained or transmitted in Electronic Media. Section 3.6 Encryption "Encryption" means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Section 3.7 Facility "Facility" means the physical premises and the interior and exterior of a building(s). Section 3.8 Health Care Benefit Options "Health Care Benefit Options," for purposes of this Security, mean any of the health care benefit options offered to employees of Participating Employers and the employees performing administrative functions relating to such Health Care Benefit Options on behalf of the Plan Administrator, to the extent such Health Care Benefit Options constitute a Covered Entity subject to the Security Standards. The Health Care Benefit Options governed by this Security are identified in the Delhaize America, LLC Welfare Benefit Plan Health Information Privacy and Procedures. Section 3.9 HR "HR" means Human Resources. Section 3.10 Individually Identifiable Health Information "Individually Identifiable Health Information" means health information, including demographic information, collected from an individual that: (a) Is created or received by a Pharmacy or Health Care Benefit Options; and (b) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and PAGE 3

(i) Identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Individually Identifiable Health Information may be in any form, such as written, oral, or electronic. Section 3.11 Information Security Book "Information Security Book" means a comprehensive information security governance strategy to control risks and manage the Delhaize America, LLC information security operations within which E-PHI is contained, accessed, created, received, maintained or transmitted for a Pharmacy or Health Care Benefit Options, as may be amended or supplemented from time to time. Section 3.12 IT System "IT System" means a technology information system that supports and services the business and operations of a Participating Employer. Section 3.13 Participating Employer "Participating Employer" means Delhaize and any affiliates thereof participating in the Plan. Section 3.14 Pharmacies "Pharmacies" means the pharmacies operated by Food Lion, LLC and Hannaford Bros. Co., LLC in many retail locations. The Pharmacies to which this Security applies are the same as the Pharmacies to which the Delhaize America, LLC Pharmacy HIPAA Privacy Policies and accompanying forms and guidance apply. Section 3.15 Plan "Plan" means the plan or program under which Health Care Benefit Options are offered, as amended from time to time. The Plans to which this Security applies are the same as the plans to which the Delhaize America, LLC Welfare Benefit Plan Health Information Privacy and Procedures applies. Section 3.16 Plan Administrator "Plan Administrator" means Delhaize or such other person or entity appointed by Delhaize to administer the Plan; provided, that for any Plan under which insured Health Care Benefit Options are offered, it shall mean, for those Options, the person or entity designated as such under the applicable insurance policy or other agreement. Section 3.17 Privacy Policies "Privacy Policies" refers to the Delhaize America, LLC Pharmacy HIPAA Privacy Policies and accompanying forms and guidance, as well as the Delhaize America, LLC Welfare Benefit Plan Health Information Privacy and Procedures, all as may be amended or supplemented from time to time. Section 3.18 Privacy Standards "Privacy Standards" means the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and E, as may be amended from time to time. Section 3.19 Protected Health Information (PHI) "Protected Health Information" or "PHI" means Individually Identifiable Health Information, excluding: PAGE 4

(a) Certain education records covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. 1232g); and (b) Employment records held by a Participating Employer in its role as employer. Section 3.20 Security Official "Security Official" means the Security Official identified in Exhibit A attached to this Security. Section 3.21 Security Standards "Security Standards" means the Security Standards for the Protection of Electronic Protected Health Information contained in 45 C.F.R. Parts 160, 162 and 164, as may be amended from time to time. Section 3.22 Secretary "Secretary" means the Secretary of the Department of Health and Human Services or his designee. Section 3.23 Workstation "Workstation" means an electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. ARTICLE IV ADMINISTRATIVE STANDARDS Section 4.1 Security Management Process Risk Analysis The Pharmacies and the Health Care Benefit Options must implement policies and procedures to prevent, detect, contain and correct security violations relating to E-PHI. Procedures Risk Analysis The CISO/Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, has conducted an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of E-PHI. (a) The risk analysis identified the following for the Pharmacies and the Health Care Benefit Options: (i) the source and location of any E-PHI received, created, maintained, stored, transmitted by (or on behalf of) the Pharmacies and the Health Care Benefit Options, including, for example, Protected Health Information that is converted into electronic format (e.g., using an Excel spread sheet, Word document program or Acrobat software program) for electronic storage or transmission, or email communications.; (ii) all IT Systems that involve access, receipt, creation, storage or transmission of E-PHI for the Pharmacies and the Health Care Benefit Options; the ownership and supervision of any such IT System and all IT System elements and all physical facilities where such IT System and IT System equipment is located; and PAGE 5

(iii) all individuals that are involved in the receipt, creation, storage, maintenance and transmission of E-PHI for the Pharmacies and the Health Care Options, including, personnel in the HR, IT and ISO Departments for Delhaize or any other Participating Employer. (b) The risk analysis further identified all current security measures to protect E-PHI for the Pharmacies and the Health Care Benefit Options. These current security measures include security measures for E-PHI required pursuant to the Privacy Policies and applicable policies in the Information Security Book (which are hereby incorporated into this Security by reference). (c) The risk analysis assessed potential risks and vulnerabilities to the security and integrity of E-PHI for the Pharmacies and the Health Care Benefit Options. This analysis considered, among other things, the potential for and likelihood of unauthorized access, use or disclosure of E-PHI or loss of data integrity for E-PHI. (d) The CISO/Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, evaluated current security measures to determine whether and the extent to which such measures satisfy the standards and implementation specifications of the Security Standards. Section 4.2 Security Management Process Risk Management Program The Pharmacies and the Health Care Benefit Options must implement policies and procedures to prevent, detect, contain and correct security violations relating to E-PHI. Procedures Risk Management Program The Pharmacies and the Health Care Benefit Options have implemented appropriate security measures in response to the risk analysis described in Section 4.1 above to reduce risks to the confidentiality, integrity and availability of E-PHI for the Pharmacies and the Health Care Benefit Options to a reasonable and appropriate level as follows: (a) The Pharmacies and the Health Care Benefit Options have determined in certain instances that existing security measures for E-PHI satisfy the required and addressable implementation requirements of the Security Standards. In other instances, the Pharmacies and the Health Care Benefit Options are modifying existing security measures or implementing additional administrative, physical or technical security measures in each case to satisfy the Security Standards. (b) In evaluating whether to modify existing security measures for E-PHI or implement additional security measures, the Pharmacies and the Health Care Benefit Options consider the size, complexity, technical capabilities (in terms of the overall technical capabilities of the IT System that accesses, receives, creates maintains or transmits for the Pharmacies and the Health Care Benefit Options), the risk of a security violation (as defined by the Risk Analysis) and the relative costs of any security measures. (c) Any new or modified security measures implemented, as well as any current security measures maintained, are subject to periodic review as established by the CISO/Security Official (or his or her delegate) as set forth in Article VII. Section 4.3 Security Management Process Sanction The Pharmacies and the Health Care Benefit Options must implement policies and procedures to detect, prevent, contain and mitigate security violations relating to its E-PHI. Procedure Sanction PAGE 6

(a) Sanctions may be applied against any employees of a Participating Employer who access, receive, create, maintain or transmit E-PHI for or on behalf of the Pharmacies or the Health Care Benefit Options and fail to comply with the terms and conditions of this Security. (b) The sanctions to be applied to an employee who fails to comply with the requirements of the Security may include disciplinary action, up to and including, termination of employment, consistent with a Participating Employer s employment policies. (c) The procedures for determining sanctions under this sanction policy are the same as those procedures set forth in the Privacy Policies, as applicable; provided, however, that the nature of any violation triggering sanctions shall be determined with reference to the requirements of this Security. (d) The applicable procedures implemented pursuant to the Privacy Policies (and any related employment policies of a Participating Employer) for determining sanctions and disciplinary action are hereby incorporated by reference into the Security. Section 4.4 Information System Activity Review The Pharmacies and the Health Care Benefit Options must review records of information system activity on a regular basis to detect, prevent, contain and mitigate security violations. Procedures (a) Activity in an IT System is tracked and documented pursuant to the applicable policies in the Information Security Book. The information system activity for E-PHI assessed, created, received, maintained or transmitted under this IT System will be handled in accordance with these policies and procedures. Examples of information system activity that may be reviewed for Security Standard violations include audit logs, access reports, security incident tracking reports and data modification tracking reports. (b) The Security Official (or his or her delegate) will review information system activity in coordination with appropriate IT and ISO Department personnel at such times and in such manner so as to allow for reasonable detection and investigation of potential security violations of the Security Standards. Except as otherwise directed by the Security Official (or his or her delegate), such reviews shall take place and be handled in accordance with the policies in the Information Security Book. (c) IT and ISO Department personnel will assist the Security Official (or his or her delegate) in determining whether existing information system activity allows for appropriate detection, prevention or containment of security violations. Any modification or update of these information activity mechanisms will be made in accordance with applicable policies in the Information Security Book. Section 4.5 Workforce Security The Pharmacies and the Health Care Benefit Options must ensure that employees of a Participating Employer or of the Pharmacies who create, receive, maintain or transmit E-PHI for the Pharmacies and the Health Care Benefit Options have appropriate access to such E-PHI. Accordingly, the Pharmacies and the Health Care Benefit Options must ensure employees of a Participating Employer or any other individuals who do not require access to E-PHI are appropriately restricted from such access. Procedures (a) Only those employees of a Participating Employer who are designated to handle Protected Health Information on behalf of a Health Care Benefit Options under the Privacy Policies will be granted access to E-PHI and IT System equipment through which E-PHI is accessed, created, maintained or transmitted. The nature and scope of such access will be based in part upon an individual s job specifications and PAGE 7

responsibilities. Procedures for authorizing and limiting access are the same as those access procedures set forth in the Privacy Policies and applicable policies in the Information Security Book. Access procedures implemented under the Privacy Policies include the following: (b) Access to any IT System containing Protected Health Information shall be protected by (A) limiting access to specifically identified persons and (B) requiring those persons to have appropriate personnel clearance including, for example, entering both a user identification number/code and a password to access the IT System, whether onsite or remotely. (i) As soon as administratively feasible after an authorized employee, contractor or service provider no longer requires access to Protected Health Information for any reason (e.g., termination of employment or contract), all reasonable steps necessary to prevent such person s or entity s access to Protected Health Information must be taken. This includes removing any permitted means of access, such as returning keys or access cards, removal of user accounts, change of passwords, removal from access lists or changing locks. In addition, Business Associates, where necessary, must be notified that such person or entity is no longer authorized to access Protected Health Information. (ii) Reasonable efforts shall be made to limit access to only those persons within a Participating Employer s workforce as specifically identified under the Privacy Policies for the type(s) of Protected Health Information allowable for such persons. Such persons are limited to those who need access to Protected Health Information to carry out their duties for the Pharmacies and the Health Care Benefit Options. (iii) Any designated person may access the Protected Health Information designated for such person under the Privacy Policies, only if the person satisfies the applicable conditions for such access as set forth in the Privacy Policies or the policies in the Information Security Book. (c) Any employee having access to E-PHI who reasonably expects to be away from his or her Workstation for more than a brief period of time must take reasonable steps to ensure that any E-PHI displayed on the screen of his or her Workstation is viewable only by another authorized employee, including closing the applicable window, using screen saver devices and/or locking the door to the work area where such Workstation is located or, in the alternative, shutting down or otherwise locking his or her computer. (d) Any individuals who do not engage in activities relating to the Pharmacies and the Health Care Benefit Options but may work in areas where E-PHI may be inadvertently viewed or accessed (e.g., maintenance personnel), must have specific authorization as part of their duties to access such areas. (e) Given the limited number of persons in the workforce who are authorized to access E-PHI and the fact that such access is generally based upon an employee s particular job responsibilities, it has been determined that it would not be reasonable or appropriate to establish additional workforce clearance or personnel screening procedures for continuing access to E-PHI. The access procedures currently in place under the Privacy Policies, in combination with policies in the Information Security Book and the current employment procedures for screening and clearance, adequately address this matter. Section 4.6 Information Access Management The Pharmacies and the Health Care Benefit Options will ensure that access to E-PHI is authorized. Procedure (a) Each employee will be properly authorized to access E-PHI. Authorization will be determined and provided in accordance with job specifications or responsibilities and the procedures set forth in the Privacy Policies. Existing procedures for authorizing access under the Privacy Policies and policies in the Information Security Book include the following: PAGE 8

(i) Access to any IT System containing Protected Health Information shall be protected by (I) limiting access to specifically identified persons and (II) requiring those persons to enter both a user identification number/code and a password to access the IT System, whether onsite or remotely. (ii) As soon as administratively feasible after an authorized employee, contractor or service provider no longer needs access to Protected Health Information for any reason (e.g., termination of employment or contract), all reasonable steps necessary to prevent such person s or entity s access to Protected Health Information must be taken. This will include removing any permitted means of access, such as returning keys or access cards, removal of user accounts, change of passwords, removal from access lists or changing locks. In addition, Business Associates, where necessary, must be notified that such person or entity is no longer authorized to access Protected Health Information. (iii) Any portable electronic devices (such as laptops, disks and computer tapes) containing Protected Health Information shall be encrypted or shall be stored in a locked file or room with limited access. Access to information located on such devices also may be password protected. (b) All electronic documents (including e-mails, Word documents, electronic faxes, reports or Excel spread sheets) containing any E-PHI must be stored on a designated drive in one or more separate folders to which only authorized personnel will have access. Access to these folders will be determined and controlled by the Security Official (or his or her delegate) in coordination with IT personnel. Authorized personnel may be permitted to use personal subfolders in the IT System s general network drive to temporarily create and store any such electronic documents prior to transfer to (or storage in) a separate subfolder that has been designated for that purpose. (c) Any employee having access to E-PHI who reasonably expects to be away from his or her Workstation for more than a brief period of time must lock the door to the work area where such Workstation is located or, in the alternative, shut down or otherwise lock his or her computer. (d) Additional procedures or criteria for reviewing and modifying a user s authorization to access a workstation, program, transaction or process may be established from time to time. Section 4.7 Security Awareness and Training Security awareness and training will be provided to all employees of a Participating Employer or Pharmacy who are authorized to handle or otherwise have access to E-PHI. Procedures (a) Security awareness and training will be made part of the training program required under the Privacy Policies and coordinated with any applicable training programs required under policies in the Information Security Book. Security awareness and training will be required for all new employees and for existing employees in the same manner as required by the Privacy Policies. (b) The policies in the Information Security Book for guarding against, detecting and reporting malicious software and password protection shall be followed and applied under the Security. (c) Employees shall be promptly notified of any modifications to the security measures for E-PHI. In addition, periodic updates shall be provided to employees as needed to ensure they (i) are aware of any important security issues and (ii) understand their responsibility to protect the security of E-PHI. These updates will be communicated in the same manner and at the same time as any updates required under the Privacy Policies. Updates to the technical security measures in place under the IT System may be communicated in accordance with the policies in the Information Security Book. PAGE 9

(d) It has been determined that it is not reasonable or appropriate to implement, or provide training for, the following: (i) log-in monitoring procedures, as the risk of unauthorized access of E-PHI or security violations (I) will not be mitigated in any substantial way by monitoring log-in attempts and (II) are otherwise addressed by other security measures, such as requirements for password protection and user identification codes, and (ii) additional procedures for password creation, changing or safeguarding, as current in the policies in the Information Security Book and guidelines in the Privacy Policies provide sufficient protection. For example, under existing policies in the Information Security Book, users are required to periodically change passwords and a screen saver mode is in place on all Workstation monitors. The Security Official may, in coordination with IT and ISO Department personnel, implement such additional password protection procedures as may be deemed necessary or appropriate. Section 4.8 Security Incidents The Pharmacies and the Health Care Benefit Options must be able to identify and respond to Security Incidents of which the Vice President of Pharmacy, the Plan Administrator or the Security Official become aware or suspect has occurred. Procedures (a) Employees who have access to E-PHI will be subject to security and awareness training described in Section 4.7 above. (b) Each such employee will be required to report to the Security Official (or his or her delegate) any known or suspected Security Incident. (c) All Security Incidents that are known or are suspected of occurring will be documented and investigated. Upon becoming aware of a Security Incident or suspecting the occurrence of a Security Incident, the Vice President of Pharmacy, the Plan Administrator or the Security Official (or a delegate of any of these individuals) will take actions on behalf of the Pharmacies and the Health Care Benefit Options to respond to the Security Incident. This response will include, to the extent practicable, mitigating any harmful effects of the Security Incident. (d) The appropriate response to a Security Incident will be determined by the Vice President of Pharmacy, the Plan Administrator or the Security Official (or a delegate of any of these individuals) based on surrounding facts and circumstances, including, the nature and severity of the Security Incident. Responses may include, but are not limited to, the application of disciplinary actions against responsible personnel, the initiation of security reminders, additional training, or an evaluation of the adequacy of existing security measures. (e) Except as otherwise established by the Security Official, the documenting, investigating and responding to any Security Incident that is of a technical nature generally will be handled in accordance with the policies in the Information Security Book. The Security Official may, in coordination with IT and ISO Department personnel, implement additional procedures governing the response to or mitigation of a Security Incident as may be deemed necessary or appropriate. PAGE 10

Section 4.9 Contingency Plan The Pharmacies and the Health Care Benefit Options must establish and maintain business continuity and contingency procedures to (1) respond to an emergency or other occurrence (e.g., system failure, vandalism or natural disaster) that may damage systems containing E-PHI and (2) protect E-PHI during the event. Procedures (a) The contingency procedures include, among other things, the following: (i) procedures to create and maintain retrievable exact copies of E-PHI; and (ii) procedures to restore lost data (which may include procedures requiring attempted recovery of the data from the original outside source, such as the individual to whom this data pertains). (b) The preceding procedures shall be based upon the applicable policies in the Information Security Book for data backup and data restoration upon the occurrence of an emergency. The Security Official may, in coordination with IT, ISO and Facility management personnel, implement such additional procedures as may be deemed necessary or appropriate to specifically address the requirements for such a contingency. Section 4.10 Evaluation The Pharmacies and the Health Care Benefit Options will periodically evaluate this Security by performing technical and non-technical evaluations to assess the extent to which the policies and procedures set forth herein satisfy the requirements of the Security Standards. Procedures. (a) The Security Official (or his or her delegate) will evaluate the Pharmacies and the Health Care Benefit Options compliance with the requirements of the Security Standards. Evaluation of continuing compliance with the Security Standards will be conducted from time to time, taking into account any changes in the security environment or operations, as well as any changes in E-PHI created, received, maintained or transmitted by the Pharmacies and the Health Care Benefit Options. These evaluations will assess whether existing policies and procedures set forth herein are appropriate in light of the changes to the environment or E-PHI. (b) The evaluations must be technical as well as non-technical in nature. Any technical evaluations will be conducted in accordance with applicable policies in the Information Security Book. The Security Official may, in coordination with IT and ISO Department personnel, conduct such additional evaluations as may be deemed necessary or appropriate to address compliance with the Security Standards. ARTICLE V PHYSICAL SAFEGUARDS Section 5.1 Facility Access Controls The Pharmacies and the Health Care Benefit Options will limit physical access to IT system equipment where E-PHI is accessed, created, received, maintained or transmitted and the Facility work areas where such IT system equipment is located except for those individuals that are properly authorized. PAGE 11

Procedures (a) IT System equipment containing or permitting access to E-PHI and those Facility work areas where such IT System equipment is located will be safeguarded from unauthorized access, tampering or theft in accordance with applicable policies in the Information Security Book and the Privacy Policies. The Security Official may, in coordination with IT personnel, require such additional procedures be implemented as may be deemed necessary or appropriate to protect against unauthorized access to Facility work areas and IT System equipment. (b) Access to IT Systems containing E-PHI to carry out disaster recovery or emergency operation must be allowed. Such access shall be provided in accordance with any policies in the Information Security Book addressing access to IT Systems for data recovery and restoration. (c) The Pharmacies and the Health Care Benefit Options also must control and validate physical access to work areas and IT System equipment. The procedures for ensuring control and validating access are set forth in the Privacy Policies, Retail Operational Standard Practices and the policies in the Information Security Book. The Security Official may, in coordination with IT and ISO Department personnel, require such additional access restrictions as may be deemed necessary or appropriate including, for example, requiring special key card access to work areas, additional access code for IT System equipment and special authorization procedures for non-routine access by visitors, repair persons or technicians. (d) Any record keeping for physical repairs or modifications to the Facility work areas shall be handled in accordance with the policies in the Information Security Book. Section 5.2 Workstation Use The Pharmacies and the Health Care Benefit Options will identify those Workstations or classes of Workstations that contain or permit access to E-PHI; specify the proper functions to be performed at such Workstations or class of workstations, the manner in which those functions are to be performed and physical surroundings for those Workstations or class of Workstations. Procedure (a) The procedures addressing the manner and scope of use for a Workstation where E-PHI is contained or accessed are set forth in the Privacy Policies, any applicable policies in the Information Security Book and Participating Employer employment policies. (b) The procedures for defining the physical surroundings for a Workstation are addressed in the Facility Access Controls set out in Section 5.1 of this Security. Section 5.3 Workstation Security The Pharmacies and the Health Care Benefit Options will implement physical safeguards for all Workstations that contain or permit access to E-PHI in order to restrict access to any Workstation only to authorized users. Procedure (a) Each Workstation will be subject to access restrictions required by the Privacy Policies and applicable policies in the Information Security Book. Under these safeguards, an authorized employee or other individual must enter both a user identification number/code and password to access the IT system. In addition, the Privacy Policies and applicable policies in the Information Security Book provide PAGE 12

specific procedures for termination of physical access, which may include returning keys or access cards. The Security Official may, in coordination with IT and ISO Department personnel, implement such additional physical access limits as may be deemed necessary or appropriate to satisfy the Security Standards. (b) Any employee having access to E-PHI who reasonably expects to be away from his or her Workstation for more than a brief period of time must lock the door to the work area where such Workstation is located or, in the alternative, shut down or otherwise lock his or her computer. Workstations also are required pursuant to the policies in the Information Security Book to have screen saver activation with password access. (c) The above procedures also apply to the use of laptops and remote connections; this level of security is reasonable and appropriate. Section 5.4 Device and Media Controls The Pharmacies and the Health Care Benefit Options must manage and safeguard the receipt, removal and disposal of hardware or other electronic media that contains E-PHI. Procedures (a) The disposal of E-PHI (and any hardware or other electronic media on which E-PHI is stored) will be handled in accordance with the policies in the Information Security Book. All E-PHI contained on computers, fax machines, copiers or other electronic storage media must be deleted or destroyed before such media is discarded or made available for re-use. (b) The following will be handled in accordance with the policies in the Information Security Book: (i) Any physical removal or relocation of computer hardware or other electronic media, (ii) The determination of whether and to what extent an exact copy of E-PHI will be created prior to the movement of IT System equipment or transfer of E-PHI; and (iii) the creation and maintenance of backup data files including E-PHI and the person(s) responsible for such. It has been determined that the policies in the Information Security Book appropriately and reasonably address these aspects of the above policy. ARTICLE VI TECHNICAL STANDARDS Section 6.1 Access Controls The Pharmacies and the Health Care Benefit Options must implement technical security measures to limit access to the portion of the IT Systems containing E-PHI to only those persons or software programs that are authorized to have access. PAGE 13

Procedures (a) Pursuant to the Privacy Policies and the policies in the Information Security Book, each employee who is authorized to access, create, receive, maintain or transmit E-PHI must use a unique identification code to access any IT System that contains E-PHI, included through remote connection or laptop. This code allows the IT System to identify, authenticate and track activity of this user, including with respect to any Security Incidents. (b) Emergency access to IT Systems containing E-PHI is required as part of the contingency plan described in Section 4.9 above. Access to E-PHI in these circumstances shall be handled in accordance with applicable policies in the Information Security Book and Facility security policies. (c) The Security Official may, in coordination with IT and ISO Department personnel, require at a later date that additional electronic procedures as may be necessary or appropriate to limit unauthorized access to IT Systems containing E-PHI be implemented. These types of electronic procedures include automatic log-off or sleep mode programs. Any such procedures shall be implemented in accordance with applicable policies in the Information Security Book. Section 6.2 Audit Controls The Pharmacies and the Health Care Benefit Options must have hardware, software or procedural mechanisms that record and examine IT Systems and activities each relating to E-PHI. Procedures IT Systems and activities involving E-PHI are subject to such audit controls as may be in place under the policies in the Information Security Book. Any resulting incident reports and logs may be used by the Security Official in connection with information system activity reviews. Section 6.3 Integrity of Electronic Protected Health Information The Pharmacies and the Health Care Benefit Options must take reasonable measures to authenticate E-PHI. Procedures E-PHI is protected from unauthorized alteration or destruction pursuant to the safeguards in place under the policies in the Information Security Book. Examples of mechanisms to avoid or detect alteration or destruction of E- PHI may include error correcting memory, magnetic disk storage or processes that employ digital signatures. Audit Controls implemented under applicable policies in the Information Security Book, also enable parties to assess whether E-PHI has in fact been altered or destroyed. Section 6.4 Person or Entity Authentication. The Pharmacies and the Health Care Benefit Options will ensure IT Systems that contain or permit access to E-PHI adequately authenticate the identity of the person or entity seeking access to such E-PHI. PAGE 14

Procedures It has been determined that the policies in the Information Security Book and the procedures under the Privacy Policies contain sufficient technical mechanisms for appropriately and reasonably verifying the identity of a person or entity seeking access to E-PHI. For example, the Privacy Policies provide that each person must have a user identification code and password to access the IT System containing E-PHI. Section 6.5 Transmission Security The Pharmacies and the Health Care Benefit Options must prevent unauthorized access to E-PHI that is transmitted over any information technology network. Procedures E-PHI shall be protected from unauthorized access during transmission in accordance with applicable policies in the Information Security Book. Protections for transmission of E-PHI may include email digital signatures or disclaimers. ARTICLE VII ORGANIZATIONAL REQUIREMENTS Section 7.1 Designation of Security Official and Contact Person The Pharmacies and the Health Care Benefit Options will designate a Security Official for development and implementation of this Security. The Security Official will be required to coordinate the implementation of any physical, technical and administrative safeguards for E-PHI in accordance with this Security. Accordingly, the Security Official (or his or her delegate) will, from time to time, review and coordinate the operation of the Privacy Policies, policies in the Information Security Book, Employment policies and Facility security policies as may be deemed necessary or appropriate. The Security Official (or his or her delegate) shall be the contact person responsible for receiving complaints and providing further information. Section 7.2 Responsibilities for Compliance Reports and Reviews (a) Provide Records and Compliance Reports. The Pharmacies and the Health Care Benefit Options must keep records and submit compliance reports, in the time and manner, as the Secretary may determine to be necessary to enable the Secretary to ascertain compliance with the Security Standards. (b) Cooperate with Compliance Investigations and Reviews. The Pharmacies and the Health Care Benefit Options shall cooperate with the Secretary in investigations or compliance reviews of the policies, procedures or practices of the Pharmacies and Health Care Benefit Options to determine compliance with the Security Standards. (c) Permit Access to Information. The Pharmacies and the Health Care Benefit Options shall permit access by the Secretary during normal business hours to its facilities, books, records and accounts and other sources of information, including E-PHI, that are pertinent to ascertaining compliance with the Security Standards. If any information required under this section shall be in the exclusive possession of any other agency, institution or person and that agency, institution or person fails or refuses to furnish such PAGE 15

information, the Pharmacies and/or the Health Care Benefit Options must so certify and set forth what efforts were made to obtain the information. ARTICLE VIII POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS Section 8.1 Policies and Procedures - Modifications and Updates (a) Elective Changes. The Vice President of Pharmacy, the Plan Administrator and the Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, may make changes to the Security from time to time; provided, that such changes comply and are implemented in accordance with the Security Standards. (b) Changes Required for Compliance. The Vice President of Pharmacy, the Plan Administrator and the Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, shall make changes to the Security as necessary and appropriate to comply with changes in the law, including the Security Standards. (c) Changes Required for environment or operations. The Vice President of Pharmacy, the Plan Administrator and the Security Official, on behalf of the Pharmacies and the Health Care Benefit Options, shall periodically review the Security and update it as needed in response to environmental or operational changes affecting the security of E-PHI. (d) Documentation. Written record of the Security Policies and any change or revision made thereto pursuant to this Section 8.1 shall be documented and maintained in accordance with Article VIII hereof. Section 8.2 Documentation In accordance with the Security Standards and this Security, the Pharmacies and the Health Care Benefit Options shall document and retain such documentation in accordance with the provisions of this Article VIII with respect to the following: (a) Decisions by or on behalf of the Pharmacies and the Health Care Benefit Options not to implement any addressable implementation specifications set forth in the Security Standards and why it is not reasonable or appropriate to implement any such specifications. (b) Written documentation of Security Incidents and their outcomes in accordance with Section 4.8; and (c) Written record of any change or revision made to the Security as contemplated by Section 8.1. Section 8.3 Availability This Security and any updates or changes thereto will be made available to the Security Official (or his or her delegate) and any other employees or individuals who are responsible for implementing, on behalf of the Pharmacies and the Health Care Benefit Options, any of the procedures contained herein. Section 8.4 Record Retention Period Requirement Any action, activity or designation required under this Security to be documented shall be maintained in writing or in electronic form for a period of six years (or other period required by law) from the date of its creation or, if later, the date it was last in effect. PAGE 16

ARTICLE IX SECURITY OFFICIAL Section 9.1 Security Official The individual identified in Exhibit A to this Security shall be the Security Official with respect to the Pharmacies and the Health Care Benefit Options. Section 9.2 Duties The Security Official s duties include the following: (a) Develop a thorough understanding of the Security Standards and this Security ; (b) Implement and enforce this Security ; (c) Ensure that all relevant personnel (including new hires) receive training with respect to this Security ; (d) Investigate potential violations of this Security ; (e) Monitor vendor compliance with security provisions of business associate contracts; and (f) Administer, in coordination with IT and ISO Department personnel, a program for restricting or permitting access to Protected Health Information that complies with this Security. Section 9.3 Delegation The Security Official may delegate his or her responsibilities and duties to one or more persons, provided that such delegation is in writing and otherwise in accordance with Delhaize personnel procedures. ARTICLE X DISCLOSURES TO EMPLOYER The Health Care Benefit Options may make a Disclosure to the Participating Employer for plan administration functions if the plan document includes, and the plan is administered in accordance with, provisions requiring each Participating Employer to: (a) implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any E-PHI that the Participating Employer creates, receives, maintains or transmits on behalf of the Health Care Benefit Options; (b) ensure that any agent to whom it provides E-PHI that the Participating Employer creates, receives, maintains or transmits on behalf of the Health Care Benefit Options, agrees to implement reasonable and appropriate security measures to protect such information; (c) implement reasonable and appropriate security measures to support the adequate separation between the Health Care Benefit Options and the Participating Employer; and (d) report the occurrence of any Security Incident impacting the Health Care Benefit Options of which it becomes aware to the Security Official (or his or her delegate). PAGE 17

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback