University Policies
Policy Contact
Chief Information Security Officer Email 401-863-7266

HIPAA Security Policy

Policy No. Issue Date Effective Date
08.10.11

1.0 Policy Purpose

This policy sets forth the responsibilities Brown University’s (the “Employer”) self-funded group health plans to implement various security measures with respect to the plans’ electronic protected health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

2.0 To Whom the Policy Applies

All members of the Employer’s workforce who have access to Protected Health Information (“PHI”) must comply with this HIPAA Security Policy. For the purposes of this Security Policy, the Employer’s workforce includes individuals who would be considered part of the workforce under HIPAA, such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the Employer, whether or not they are paid by the Employer. The term “employee” includes all of these types of workers.

3.0 Policy Statement

The Employer sponsors the following self-funded group health benefits:

  • Medical
  • Prescription Drug
  • Dental
  • Disease Management
  • Health Care Flexible Spending Account
  • Wellness Program

For purposes of this HIPAA Security Policy (“Security Policy”), the self-funded benefits listed above are referred to collectively and singularly as the “Plan.” The Employer designated the Plans as an affiliated covered entity (within the meaning of 45 C.F.R. § 164.105(b)) and an organized healthcare arrangement (within the meaning of 45 C.F.R. § 160.103). These components of the Plan may share an individual’s PHI with one another, subject to the requirements set forth in the HIPAA rules (See e.g., 45 C.F.R. §§ 164.105, 164.506, and 164.520).

Members of the Employer’s workforce may create, receive, maintain, or transmit electronic Protected Health Information on behalf of the Employer, for Plan administration functions. The Plan is administered by a third-party administrator and has one or more Business Associates that perform functions for the Plan.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations and guidance require the Plan to implement various security measures with respect to Electronic Protected Health Information (“e-PHI”).

It is the Plan’s policy to comply fully with the requirements of HIPAA’s security regulations.

No third-party rights (including but not limited to rights of Plan participants, beneficiaries, or covered dependents) are intended to be created by this Security Policy. The Plan reserves the right to amend or change this Security Policy at any time (and even retroactively) without notice. To the extent that this Security Policy establishes requirements and obligations above and beyond those required by HIPAA, the Security Policy shall be aspirational and shall not be binding upon the Plan. This Security Policy does not address requirements under state law or federal laws other than HIPAA.

The Employer has determined that it does not currently hold, create, or receive any e-PHI related to the Plan. The provisions of this Security Policy, and any necessary amendments, shall be applied to the extent the Plan ever holds, creates, or receives e-PHI in the future.

3.1 Security Officer

The Chief Information Security Officer is the HIPAA Security Officer (“Security Officer”) for the Plan. The Security Officer is responsible for the development and implementation of the Plan’s policies and procedures relating to security, including but not limited to this Security Policy.

3.2 Risk Analysis

The Plan has no employees. All of the Plan’s functions, including creation and maintenance of its records, are carried out by employees of the Employer and by Business Associates of the Plan. The Plan does not own or control any of the equipment or media used to create, maintain, receive, and transmit e-PHI relating to the Plan, or any of the facilities in which such equipment and media are located. Such equipment, media, and facilities are owned or controlled by the Employer, the third-party administrator and other Business Associates. Accordingly, the Employer and Business Associates create and maintain all of the e-PHI relating to the Plan, own or control all of the equipment, media, and facilities used to create, maintain, receive, or transmit e-PHI relating to the Plan, and control their employees, agents, and subcontractors who have access to e-PHI relating to the Plan. The Plan has no ability to assess or in any way modify any potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI relating to the Plan. That ability lies solely with the Employer, the third-party administrator, and other Business Associates.

The Plan has no access to or control over the employees, equipment, media, facilities, policies, procedures, or documentation of the Employer, the third-party administrator, and other Business Associates affecting the security of Plan e-PHI. Therefore, the Employer, the third-party administrator and other Business Associates, on behalf of the Plan, have undertaken certain obligations (including, but not limited to, the standards set forth below) relating to the security of e-PHI that they handle in relation to the performance of administrative functions for the Plan. The Plan’s policies and procedures, including this Security Policy, do not separately address the following standards (including the implementation specifications associated with them) established under HIPAA that are set out in Subpart C of 45 C.F.R. Part 164:

  • security management process;
  • assigned security responsibility and workforce security;
  • information access management;
  • security awareness and training;
  • security incident procedures;
  • contingency plan;
  • evaluation;
  • facility access controls;
  • workstation use;
  • workstation security;
  • device and media controls;
  • access control;
  • audit controls;
  • integrity;
  • person or entity authentication; and
  • transmission security.

Rather, any HIPAA security policies and procedures of the Employer, the third-party administrator, and/or other Business Associates for e-PHI of the Plan for the standards listed above are incorporated by reference and hereby adopted by the Plan.

Certain employees of the Employer responsible for Plan administration, acting on behalf of the Plan, have conducted an analysis of any potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI relating to the Plan created or maintained by Employer. That assessment shall be separately documented and shall list any applicable policies of Employer that address the HIPAA security standards and implementation specifications.

Based on the analysis described above, the Plan has determined that it need not take any additional security measures, other than the measures set forth herein and the measures of the Employer and Business Associates, to reduce risks to the confidentiality, integrity and availability, of e-PHI.

3.3 Risk Management

The Plan manages risks to its e-PHI by limiting vulnerabilities, based on its risk analyses, to a reasonable and appropriate level, taking into account the following:

  • the size, complexity, and capabilities of the Plan;
  • the Plan’s technical infrastructure, hardware, software, and security capabilities;
  • the costs of security measures; and
  • the criticality of the e-PHI potentially affected.

Based on risk analysis discussed in Section 3.2, the Plan made a reasoned, well-informed, and good-faith determination on the implementation of the HIPAA security regulations that it need not take any additional security measures, other than the measures set forth herein and the measures of the Employer, the third-party administrator, and other Business Associates, to reduce risks to the confidentiality, integrity, and availability of e-PHI.

3.4 Plan Document

The Plan Document shall include provisions requiring the Employer to:

  • implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the e-PHI that the Employer creates, receives, maintains, or transmits on behalf of the Plan (the “Plan e-PHI”);
  • ensure that reasonable and appropriate security measures support the Plan Document provisions providing for adequate separation between the Plan and the Employer (which were adopted as described in the Plan's HIPAA Privacy Policy);
  • ensure that any agents or subcontractors to whom the Employer provides Plan e-PHI agree to implement reasonable and appropriate security measures to protect the Plan e-PHI through a written contractual agreement that complies with 45 C.F.R. § 164.314; and
  • report to the Security Officer any Security Incident of which the Employer becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410.

3.5 Disclosures of e-PHI to Third-Party Administrator and Other Business Associates

The Plan permits the third-party administrator and other Business Associates to create, receive, maintain, or transmit e-PHI on its behalf. The Plan has obtained or will obtain satisfactory assurances from all Business Associates that they will appropriately safeguard the information. Such satisfactory assurances shall be documented through a written contract in accordance with 45 C.F.R. § 164.314 and specifically provide that the Business Associate will:

  • implement administrative, physical, and technical safeguards and documentation requirements that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that the Business Associate creates, receives, maintains, or transmits on behalf of the Plan (the “Contract e-PHI”);
  • ensure that any agents or subcontractors to whom the Business Associate provides Contract e-PHI agree to implement reasonable and appropriate security measures to protect the Contract e-PHI through a written contractual agreement in accordance with 45 C.F.R. § 164.314;
  • report to the Plan any Security Incident of which the Business Associate becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410;
  • take required steps with respect to breach notification requirements; and
  • authorize termination of the contract by the Plan if the Plan determines that the Business Associate has violated a material term of the contract.

3.6 Breach Notification Requirements

The Plan will comply with the requirements of the HITECH Act, and its implementing regulations, and the Omnibus Rule to provide notification to affected individuals, the Department of Health and Human Services, and the media (when required) if the Plan or one of its Business Associates discovers that there is a breach of unsecured PHI in accordance with the Plan’s Policy and Procedure for Notification of a Breach of Unsecured Protected Health Information.

The Plan and/or the Employer may rely upon Business Associates to undertake a risk assessment to determine whether a breach of PHI has occurred and whether such breach results in any reporting obligations for the Plan. Upon completion of a Business Associate’s risk assessment, the Employer shall review the Business Associate’s determination and recommendation and make a decision on behalf of the Plan as to whether or not to accept such determination and recommendation. In the event the Employer accepts the determination and recommendation of the Business Associate, the Employer shall undertake any necessary actions, on behalf of the Plan, including delegation of any notification obligations to the Business Associate. Should the Employer reject the Business Associate’s determination and recommendation, the Employer shall undertake an independent risk assessment to determine whether a breach of PHI has occurred and shall act accordingly.

3.7 Documentation

The Security Policy shall be reviewed periodically and updated as necessary in response to environmental or operational changes affecting the security of Plan e-PHI, and any changes to the Security Policy will be documented promptly.

Except to the extent that they are carried out by the Employer or Business Associates, the Plan shall document certain actions, activities, and assessments with respect to e-PHI required by HIPAA to be documented.

Policies, procedures, and other documentation controlled by the Plan may be maintained in either written or electronic form. The Plan will maintain such documentation for at least six (6) years from the date of creation or the date last in effect, whichever is later.

The Plan will make its policies, procedures, and other documentation available to the Security Officer and the Employer, the third-party administrator, and other Business Associates or other persons responsible for implementing the procedures to which the documentation pertains.

4.0 Definitions

Business Associate:

An entity (other than the Employer), such as a third-party administrator, that:

  • performs or assists in performing a Plan function or activity involving the use and disclosure of PHI (including claims processing or administration, data analysis, underwriting, etc.);
  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI; or
  • subcontractors that create, receive, maintain, or transmit PHI on behalf of another Business Associate.
Electronic Media:
  • Electronic storage media including, but not limited to, memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
  • Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet (wide-open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including paper, facsimile, and voice via telephone are not considered to be transmissions via Electronic Media because the information being exchanged did not exist in electronic form before the transmission.
Electronic Protected Health Information (“e-PHI”):

Protected Health Information that is transmitted by or maintained in Electronic Media.

Protected Health Information (“PHI”):

The information that is subject to and defined in the Plan’s privacy policies and procedures. For purposes of this Security Policy, PHI does not include the following, referred to in this Security Policy as “Exempt Information:”

  • summary health information, as defined by HIPAA’s privacy rules, for purposes of (a) obtaining premium bids, or (b) modifying, amending, or terminating the Plan;
  • enrollment and disenrollment information concerning the Plan, held by the Employer, which does not include any substantial clinical information; or
  • PHI disclosed to the Plan and/or Employer under a signed authorization that meets the requirements of the HIPAA privacy rules.

5.0 Responsibilities

All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure compliance with it.

6.0 Consequences for Violating this Policy

Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures.

7.0 Related Information

This policy is not a legal document. This policy does not confer a term of employment, nor is the language intended to establish a contract of employment, express or implied, between any employee and Brown University. The University reserves the right to change, amend or terminate any of its human resources policies at any time for any reason.

Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).

The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.

7.2 Related Procedures:

N/A

7.3 Related Forms:

N/A

7.4 Frequently Asked Questions (FAQs):

N/A

7.5 Other Related Information:

N/A

Policy Owner and Contact(s)

Policy Owner: Vice President for Human Resources

Policy Approved by: Executive Vice President for Finance and Administration

Contact Information:

Chief Information Security Officer Email 401-863-7266

Policy History

Policy Issue Date:

Policy Effective Date:

Policy Update/Review Summary:

N/A