The Chief Information Security Officer is the HIPAA Security Officer (“Security Officer”) for the Plan. The Security Officer is responsible for the development and implementation of the Plan’s policies and procedures relating to security, including but not limited to this Security Policy.

The Plan has no employees. All of the Plan’s functions, including creation and maintenance of its records, are carried out by employees of the Employer and by Business Associates of the Plan. The Plan does not own or control any of the equipment or media used to create, maintain, receive, and transmit e-PHI relating to the Plan, or any of the facilities in which such equipment and media are located. Such equipment, media, and facilities are owned or controlled by the Employer, the third-party administrator and other Business Associates. Accordingly, the Employer and Business Associates create and maintain all of the e-PHI relating to the Plan, own or control all of the equipment, media, and facilities used to create, maintain, receive, or transmit e-PHI relating to the Plan, and control their employees, agents, and subcontractors who have access to e-PHI relating to the Plan. The Plan has no ability to assess or in any way modify any potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI relating to the Plan. That ability lies solely with the Employer, the third-party administrator, and other Business Associates.

The Plan has no access to or control over the employees, equipment, media, facilities, policies, procedures, or documentation of the Employer, the third-party administrator, and other Business Associates affecting the security of Plan e-PHI. Therefore, the Employer, the third-party administrator and other Business Associates, on behalf of the Plan, have undertaken certain obligations (including, but not limited to, the standards set forth below) relating to the security of e-PHI that they handle in relation to the performance of administrative functions for the Plan. The Plan’s policies and procedures, including this Security Policy, do not separately address the following standards (including the implementation specifications associated with them) established under HIPAA that are set out in Subpart C of 45 C.F.R. Part 164:

• security management process;
• assigned security responsibility and workforce security;
• information access management;
• security awareness and training;
• security incident procedures;
• contingency plan;
• evaluation;
• facility access controls;
• workstation use;
• workstation security;
• device and media controls;
• access control;
• audit controls;
• integrity;
• person or entity authentication; and
• transmission security.

Rather, any HIPAA security policies and procedures of the Employer, the third-party administrator, and/or other Business Associates for e-PHI of the Plan for the standards listed above are incorporated by reference and hereby adopted by the Plan.

Certain employees of the Employer responsible for Plan administration, acting on behalf of the Plan, have conducted an analysis of any potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI relating to the Plan created or maintained by Employer. That assessment shall be separately documented and shall list any applicable policies of Employer that address the HIPAA security standards and implementation specifications.

Based on the analysis described above, the Plan has determined that it need not take any additional security measures, other than the measures set forth herein and the measures of the Employer and Business Associates, to reduce risks to the confidentiality, integrity and availability, of e-PHI.

The Plan manages risks to its e-PHI by limiting vulnerabilities, based on its risk analyses, to a reasonable and appropriate level, taking into account the following:

• the size, complexity, and capabilities of the Plan;
• the Plan’s technical infrastructure, hardware, software, and security capabilities;
• the costs of security measures; and
• the criticality of the e-PHI potentially affected.

Based on risk analysis discussed in Section 3.2, the Plan made a reasoned, well-informed, and good-faith determination on the implementation of the HIPAA security regulations that it need not take any additional security measures, other than the measures set forth herein and the measures of the Employer, the third-party administrator, and other Business Associates, to reduce risks to the confidentiality, integrity, and availability of e-PHI.

The Plan Document shall include provisions requiring the Employer to:

• implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the e-PHI that the Employer creates, receives, maintains, or transmits on behalf of the Plan (the “Plan e-PHI”);
• ensure that reasonable and appropriate security measures support the Plan Document provisions providing for adequate separation between the Plan and the Employer (which were adopted as described in the Plan's HIPAA Privacy Policy);
• ensure that any agents or subcontractors to whom the Employer provides Plan e-PHI agree to implement reasonable and appropriate security measures to protect the Plan e-PHI through a written contractual agreement that complies with 45 C.F.R. § 164.314; and
• report to the Security Officer any Security Incident of which the Employer becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410.

The Plan permits the third-party administrator and other Business Associates to create, receive, maintain, or transmit e-PHI on its behalf. The Plan has obtained or will obtain satisfactory assurances from all Business Associates that they will appropriately safeguard the information. Such satisfactory assurances shall be documented through a written contract in accordance with 45 C.F.R. § 164.314 and specifically provide that the Business Associate will:

• implement administrative, physical, and technical safeguards and documentation requirements that reasonably and appropriately protect the confidentiality, integrity, and availability of the Electronic PHI that the Business Associate creates, receives, maintains, or transmits on behalf of the Plan (the “Contract e-PHI”);
• ensure that any agents or subcontractors to whom the Business Associate provides Contract e-PHI agree to implement reasonable and appropriate security measures to protect the Contract e-PHI through a written contractual agreement in accordance with 45 C.F.R. § 164.314;
• report to the Plan any Security Incident of which the Business Associate becomes aware, including breaches of unsecured PHI as required by 45 C.F.R. § 164.410;
• take required steps with respect to breach notification requirements; and
• authorize termination of the contract by the Plan if the Plan determines that the Business Associate has violated a material term of the contract.

The Plan will comply with the requirements of the HITECH Act, and its implementing regulations, and the Omnibus Rule to provide notification to affected individuals, the Department of Health and Human Services, and the media (when required) if the Plan or one of its Business Associates discovers that there is a breach of unsecured PHI in accordance with the Plan’s Policy and Procedure for Notification of a Breach of Unsecured Protected Health Information.

The Plan and/or the Employer may rely upon Business Associates to undertake a risk assessment to determine whether a breach of PHI has occurred and whether such breach results in any reporting obligations for the Plan. Upon completion of a Business Associate’s risk assessment, the Employer shall review the Business Associate’s determination and recommendation and make a decision on behalf of the Plan as to whether or not to accept such determination and recommendation. In the event the Employer accepts the determination and recommendation of the Business Associate, the Employer shall undertake any necessary actions, on behalf of the Plan, including delegation of any notification obligations to the Business Associate. Should the Employer reject the Business Associate’s determination and recommendation, the Employer shall undertake an independent risk assessment to determine whether a breach of PHI has occurred and shall act accordingly.

The Security Policy shall be reviewed periodically and updated as necessary in response to environmental or operational changes affecting the security of Plan e-PHI, and any changes to the Security Policy will be documented promptly.

Except to the extent that they are carried out by the Employer or Business Associates, the Plan shall document certain actions, activities, and assessments with respect to e-PHI required by HIPAA to be documented.

Policies, procedures, and other documentation controlled by the Plan may be maintained in either written or electronic form. The Plan will maintain such documentation for at least six (6) years from the date of creation or the date last in effect, whichever is later.

The Plan will make its policies, procedures, and other documentation available to the Security Officer and the Employer, the third-party administrator, and other Business Associates or other persons responsible for implementing the procedures to which the documentation pertains.

• HIPAA Privacy Policy
• HIPAA Breach Notification Policy
• HIPAA Notice of Privacy Practices

N/A

N/A

N/A

N/A