1.1
W. Va. Code § 18B-1-6
This policy covers the following topics:
The West Virginia School of Osteopathic Medicine (“WVSOM”), through contractual research agreements with health care facilities and other covered entities, may have access to or come to possess certain sensitive and confidential information, including Protected Health Information. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations, as amended, protect such information and prohibit its unauthorized access, use, or disclosure.
This policy shall be applicable to any WVSOM employee, student, volunteer, or others (“Researchers”) who, through participation in approved Research Projects, shall have access to and/or use of Protected Health Information. This policy shall also apply to any clinical faculty (“Clinical Faculty”) who, through their clinical duties at other Covered Entities, including, but not limited to, the Robert C. Byrd Clinic, may have access to and/or use of Protected Health Information. WVSOM, its Researchers, and Clinical Faculty and any other employee or student authorized to access PHI shall protect such information as required by HIPAA, HITECH, their implementing regulations as amended, this policy, and applicable WVSOM procedures. WVSOM is not a Covered Entity, does not provide health care services, and no department or program functions as a Covered Entity or health care facility. Further, WVSOM is not a Business Associate of any Covered Entity, and does not perform any functions on behalf of any Covered Entity. As WVSOM is neither a Covered Entity nor a Business Associate, WVSOM, as an organization, is not subject to HIPAA; however, Researchers, Clinical Faculty, and any other employee or student authorized to access PHI must follow this policy and all applicable HIPAA regulations.
The purpose of this policy and the procedures listed in Section 5.1 is to:
Protect WVSOM's information and system resources.
Help to ensure the confidentiality, integrity, and availability of information assets that may contain or transmit electronic Protected Health Information.
Establish an information security and privacy policy management and governance structure.
Create awareness for the Researchers and Clinical Faculty in making information security decisions in accordance with this policy and applicable WVSOM procedures.
Help protect sensitive and confidential information from unauthorized use, disclosure, modification, or destruction as required by HIPAA, HITECH, and their implementing regulations.
Provide direction to those responsible for the design, implementation, and maintenance of systems that support WVSOM's operations.
Clarify management and other responsibilities and duties with respect to the protection of information assets and resources.
Support compliance with HIPAA, HITECH, their applicable regulations, as amended, and other applicable legal and regulatory requirements.
WVSOM shall implement and maintain procedures to support this policy which set forth security and privacy requirements for all WVSOM Researchers, Clinical Faculty, or any other employee or student authorized to have access to PHI or that create, maintain, store, access, process, or transmit information. Those procedures address the following categories:
HIPAA Information Security and Privacy Program
Security and Privacy Management Process
Awareness and Training
Facility Access, Network/Data Transmission, and Storage Safeguard
Security Incident and Privacy Breach Response
This policy and supporting procedures apply to all of WVSOM’s Researchers, Clinical Faculty, and any other student or employee given authorization to access PHI, generally under an approved Research Project. Prior to accessing any PHI, Researchers and Clinical Faculty, or any others who may access PHI, shall sign a confidentiality agreement which states that they 1) have read this policy and accompanying procedures; 2) have participated in HIPAA training and awareness; 3) understand and acknowledge their obligations with respect to access, use, storage, and disclosure of PHI; 4) agree to access PHI only and exclusively through HIPAA-compliant Access Software; and 5) agree to promptly report any breach of PHI using the appropriate forms as approved by WVSOM.
This policy and supporting procedures pertain to all WVSOM systems, applications and information in all forms in all locations where WVSOM business processes are performed.
This policy and supporting procedures cover WVSOM’s network system which is comprised of various hardware, software, communication equipment and other devices designed to assist WVSOM in the creation, receipt, storage, processing, and transmission of information. This includes equipment connected to any WVSOM domain or Virtual Local Area Networks (“VLAN”), either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by WVSOM at its office locations or at remote locales, and the personally-owned computing devices used for WVSOM purposes.
The following terms as used throughout this policy and supporting procedures shall have the meanings as set forth in this section.
“Access Software” means a software program that includes secure remote access, cloud storage, secure messaging, and/or electronic signature solutions designed to be compliant with applicable HIPAA regulations and to protect the privacy and confidentiality of PHI. Features, updates, and HIPAA compliance are the responsibility of the vendor which owns and/or operates the Access Software.
“Breach” means the unauthorized acquisition, access, use, or disclosure of Protected Health Information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. The term ‘‘Breach’’ does not include any unintentional acquisition, access, or use of Protected Health Information by WVSOM student or employee if:
such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with WVSOM; and such information is not further used or disclosed in an unauthorized manner; or
any inadvertent disclosure by a person who is authorized to access Protected Health Information to another person with the same authorization; and the information received as a result of such disclosure is not further used or disclosed in an unauthorized manner; or
the disclosure of Protected Health Information where WVSOM has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
“Business Associate” means a person or entity that creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity as described in § 164.308(b) of the Security Rule and § 164.502(e) of the Privacy Rule, but other than in the capacity of a member of the workforce of such Covered Entity.
“Clinical Faculty” means a WVSOM employee who is considered a member of the faculty, and who, through their employment agreement with WVSOM, is authorized to and is actively practicing medicine at a Covered Entity, which includes, but is not limited to, the Robert C. Byrd Clinic, and who may be authorized to access PHI of their current or former patients, in their role as a physician for such Covered Entity.
“Electronic Protected Health Information” or “EPHI” means Protected Health Information in any type of electronic form.
“Health Information Technology” or “HIT” means hardware, software, integrated technologies or related licenses, intellectual property, upgrades, or packaged solutions sold as services that are designed for or support the use by health care entities or patients for the electronic creation, maintenance, access, or exchange of health information.
“Individually Identifiable Health Information” or “IIHI” has the same meaning as Protected Health Information.
“Information Security” means the preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
“Protected Health Information” or “PHI” means Individually Identifiable Health Information:
That is:
Transmitted by or maintained in electronic media; or
Transmitted by or maintained in any other form or medium.
PHI excludes Individually Identifiable Health Information in:
Education Records as defined by the Family Educational Rights and Privacy Act.
Records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.
Employment records held by an entity in its role as employer.
Records regarding a person who has been deceased for more than 50 years.
PHI is information that is a subset of health information, including demographic information collected from an individual, and:
Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
That identifies the individual; or
With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The explicitly identified PHI items are set forth as follows:
Names
Addresses
Geographic subdivisions smaller than a state
All elements of dates directly related to the individual (dates of birth, marriage, death, dates of service, etc.)
Telephone numbers
Facsimile numbers
Driver’s license numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers, certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers
Full face photographic images and any comparable images
Genetic data that is individually unique
“Personally Identifiable Information” or “PII” means any piece of information, or combination of information items, that can be associated with one individual. PII items are typically considered to be those explicitly specified with any one of a number of data protection and privacy laws.
“Personal Information” means information that can be linked to a specific individual, group of individuals, or reveal activities or other types of characteristics of an individual or group. Many types of Personal Information are not explicitly protected by any law or regulation. PII is a subset of Personal Information.
“Qualified Electronic Health Record” means an electronic record of health-related information on an individual that:
includes patient demographic and clinical health information, such as medical history and problem lists; and
has the capacity to:
provide clinical decision support;
support physician order entry;
capture and query information relevant to health care quality; and
exchange electronic health information with, and integrate such information from, other sources.
“Research Project” means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge, and that has been approved by WVSOM’s Office of Research and Sponsored Programs (“ORSP”), through applicable policies and procedures.
“Researcher” means employees, volunteers, students, trainees, and other persons who, through performing research-related or research support duties under an approved Research Project, may have access to or use of Protected Health Information.
In the course of a Research Project, Researchers may obtain, create, use and/or disclose PHI. Unless the PHI has been de-identified by the Covered Entity prior to permitting WVSOM’s Researchers access, WVSOM must obtain one of the following, in conjunction with the Research Project:
Individual authorization of PHI for research purposes, in which each individual whose PHI is to be disclosed for use in research must sign a waiver of authorization, originating with the Covered Entity, that meets all applicable requirements of the HIPAA Privacy Rule; or
Approval from WVSOM’s Institutional Review Board (“IRB”) to proceed with a Research Project under a waiver of authorization of those individuals whose PHI is to be disclosed for use in research. This approval is generally for those Research Projects that are unable to use de-identified PHI, and when the research could not practically be conducted if individual authorization was required. Such approval must include: 1) date of approval and identification of the IRB; 2) a statement that the IRB has determined the waiver of authorization satisfies the criteria of the Privacy Rule, and has been reviewed under normal and applicable review procedures; 3) a brief description of the PHI for which access has been determined to be necessary by the IRB; and 4) signature of the IRB Chair.
Any Researcher or Clinical Faculty who violates this policy or procedures may be subject to disciplinary action up to and including termination of employment, termination of contract, or dismissal from school, as applicable.
This policy will be implemented using applicable WVSOM policies and procedures and WVSOM faculty, employee, and student handbooks.
HIPAA, 45 C.F.R. § 164.306, Security Standards: General Rules
HIPAA, 45 C.F.R. § 164.501, 164.508, 164.512(i), Research
NIST SP 800-66
NIST SP 800-37
NIST SP 800-53
ISO/IEC 27001: A.5 Security Policy
ISO/IEC 27002: 2005 Section 5: Security Policy