University Policy 106
Identity Theft Prevention Program

Approved by Executive Council: April 13, 2009
Posted: April 28, 2009
Policy Topic: Information Technology
Administering Offices: Finance; Division of Information Technology

I. PROGRAM ADOPTION

As a best practice and using as a guide the Federal Trade Commission’s (“FTC”) Red Flags Rule, implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003 Western Carolina University (“University”) developed this Identity Theft Prevention Program (“Program”). This Program was developed with oversight and approval of the University Board of Trustees. After consideration of the size and complexity of the University’s operations and account systems, and the nature and scope of the University’s activities, the University Board of Trustees determined that this Program was appropriate for the University, and therefore approved this Program on June 5, 2009.

The purpose of the Program is to detect, prevent and mitigate identity theft in connection with any covered account. This program envisions the creation of policies and procedures in order to achieve these goals.

II. DEFINITIONS

“Covered Account” means (i) any account that constitutes a continuing financial relationship or is designed to permit multiple payments or transactions, including Perkins Loans, FFEL loans (Stafford loans and PLUS loans), student emergency loans, and any other student accounts and loans administered by the University; and (ii) any other account the University offers or maintains for which there is a reasonably foreseeable risk to holders of the account or to the safety and soundness of the University from Identity Theft.

“Identifying Information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including, but not limited to: name; address; telephone number; social security number; date of birth; government-issued driver’s license or identification number; alien registration number; government passport number; employer or taxpayer identification number; individual identification number; computer’s Internet Protocol address; or bank or other financial account routing code.

“Identity Theft” means a fraud committed or attempted using the Identifying Information of another person without authority.

“Program Administrator” means the individual designated in this document with primary responsibility for oversight of the Program.

“Red Flag” means a pattern, practice, alert or specific activity that indicates the possible existence of Identity Theft.

“Service Provider” means a person or entity that provides a service directly to the University.

III. PROGRAM

A. Identification of Covered Accounts

The University shall periodically determine whether it offers or maintains Covered Accounts. Such determination shall take into consideration the following: (i) the methods utilized to open and close Covered Accounts; (ii) methods utilized to access Covered Accounts; and (iii) previous history with Identity Theft.

B. Identification of Red Flags

In order to identify relevant Red Flags, the University considers the types of Covered Accounts it offers or maintains, the methods it provides to open its Covered Accounts, the methods it provides to access its Covered Accounts, and its previous experiences with Identity Theft. Red Flags may be detected while implementing existing account opening and servicing procedures such as: individual identification, caller authentication, third party authorization, and address changes.

The University identifies the following Red Flags in each of the listed categories:

1. Notifications and Warnings from Consumer Reporting Agencies

  1. Report of fraud accompanying a credit report;
  2. Notice or report from a credit agency of a credit freeze on an applicant;
  3. Notice or report from a credit agency of an active duty alert for an applicant;
  4. Receipt of a notice of address discrepancy in response to a credit report request; and
  5. Indication from a credit report of activity that is inconsistent with an applicant’s usual pattern or activity.

2. Suspicious Documents

  1. Identification document or card that appears to be forged, altered or inauthentic;
  2. Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
  3. Other document with information that is not consistent with existing individual information; and
  4. Application for service that appears to have been altered or forged.

3. Suspicious Personal Identifying Information

  1. Identifying Information presented that is inconsistent with other information the individual provides (e.g., inconsistent birth dates);
  2. Identifying Information presented that is inconsistent with other sources of information (e.g., an address not matching an address on a loan application);
  3. Identifying Information presented that is the same as information shown on other applications that were found to be fraudulent;
  4. Identifying Information presented that is consistent with fraudulent activity (e.g., an invalid phone number or fictitious billing address);
  5. Social Security number presented that is the same as one given by another individual;
  6. An address or phone number presented that is the same as that of another person;
  7. A person fails to provide complete personal Identifying Information on an application when reminded to do so; and
  8. A person’s Identifying Information is not consistent with the information that is on file for the individual.

4. Suspicious Covered Account Activity

  1. Change of address for an account followed by a request to change the individual’s name;
  2. Payments stop on an otherwise consistently up-to-date account;
  3. Account used in a way that is not consistent with prior use;
  4. Mail sent to the individual is repeatedly returned as undeliverable;
  5. Notice to the University that an individual is not receiving mail sent by the University;
  6. Notice to the University that an account has unauthorized activity;
  7. Breach in the University’s computer system security; and
  8. Unauthorized access to or use of individual account information.

5. Alerts from Others

  1. Notice to the University from an individual, Identity Theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent account for a person engaged in Identity Theft.

C. Detection of Red Flags

1. Student Enrollment

In order to detect any of the Red Flags identified above associated with the enrollment of a student, University personnel shall take the following steps to obtain and verify the identity of the person opening the account:

  1. Require certain Identifying Information such as name, date of birth, academic records, home address or other identification; and
  2. Verify the individual’s identity at time of issuance of individual identification card (review of driver’s license or other government-issued photo identification).

2. Existing Accounts

In order to detect any of the Red Flags identified above for an existing Covered Account, University personnel shall take the following steps to monitor transactions on an account:

  1. Verify the identification of individuals if they request information (in person, via telephone, via facsimile, via email);
  2. Verify the validity of requests to change billing addresses by mail or email and provide the individual a reasonable means of promptly reporting incorrect billing address changes; and
  3. Verify changes in banking information given for billing and payment purposes.

3. Consumer (“Credit”) Report Requests

In order to detect any of the Red Flags identified above for an employment or volunteer position for which a credit or background report is sought, the University’s Office of Human Resources personnel shall take the following steps to assist in identifying address discrepancies:

  1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and
  2. In the event that a notice of an address discrepancy is received from a consumer reporting agency, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that the University has reasonably confirmed is accurate.

D. Response to Red Flags / Prevention and Mitigation of Identity Theft

In the event University personnel detect any identified Red Flags, such personnel shall immediately notify the Program Administrator who may take or cause to be taken any one or more of the following steps, depending on their determination of the degree of risk posed by the Red Flag:

1. Prevent and Mitigate Fraudulent Account Activity

  1. Immediately notify the Data Security and Stewardship Committee and/or the Computer Security Incident Response Team as may be appropriate;
  2. Complete or oversee additional authentication to determine whether the attempted transaction was fraudulent or authentic, and determine appropriate steps to take;
  3. Continue to monitor a Covered Account for evidence of Identity Theft;
  4. Notify the individual who is the subject of fraudulent account activity;
  5. Change any passwords, security codes or other security devices that permit access to Covered Accounts;
  6. Cancel the transaction;
  7. Refuse to open a new Covered Account;
  8. Close an existing Covered Account;
  9. Provide the individual with a new individual identification number, if feasible;
  10. Notify and cooperate with law enforcement as may be appropriate;
  11. File or assist in filing a Suspicious Activity Report (“SAR”) with the Financial Crimes Enforcement Network, United States Department of the Treasury; or
  12. Determine that no response is warranted under the particular circumstances.

2. Protect Individual Identifying Information

In order to further prevent the likelihood of Identity Theft occurring with respect to Covered Accounts, the University will take the following steps with respect to its internal operating procedures to protect individual Identifying Information:

  1. Ensure that the University website is secure or provide clear notice that the website is not secure;
  2. Ensure complete and secure destruction of paper and electronic records containing confidential Identifying Information when such records no longer need to be maintained, subject to and in accordance with the UNC General Records Retention and Disposition Schedule (2007);  http://www.wcu.edu/WebFiles/PDFs/IT_UNC_Records_Retention_Disposition_UNCGenSch14062007with_bkmarks.pdf
  3. Ensure that office computers with access to Covered Accounts and confidential Identifying Information are password protected and are used and maintained in accordance with all applicable University policies;
  4. Ensure compliance with University policies regarding passwords; http://www.wcu.edu/WebFiles/WordDocs/Password_Policy_Final_8_17_08.doc
  5. Ensure that mobile computing devices are password protected and encrypted, if possible, and locked in a secure location when not in use;
  6. Avoid the collection and use of Social Security numbers, except as expressly permitted by the North Carolina Identity Theft Protection Act;
  7. Ensure the security of the physical facilities that contain confidential Identifying Information;
  8. Ensure that transmission of information is limited and encrypted when necessary or desirable;
  9. Ensure computer virus protection is up to date; and
  10. Collect and maintain only the types and amount of confidential Identifying Information necessary for University business purposes, consistent with University policies and directives regarding the collection, maintenance, use, and disclosure of Social Security numbers.

3. Additional Identity Theft Prevention Measures

Each employee and contractor performing work for the University will use the following best practices:

  1. File cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with Identifying Information will be locked when not in use.
  2. External hard drives, flash drives, storage discs and any other electronic storage media containing Identifying Information will be secured in a locked room, drawer or cabinet when not in use.
  3. Storage rooms containing documents with Identifying Information will be locked at the end of each workday or when unsupervised.
  4. Desks, workstations, work areas, printers, scanners, and fax machines will be cleared of all documents containing Identifying Information when not in use.
  5. Printers, copiers, scanners, and fax machines used to make images containing Identifying Information will be located in secure areas (i.e., where there is no public traffic).
  6. Whiteboards, dry-erase boards, writing tablets, and other writing surfaces in common shared work areas will be erased, removed, or shredded when not in use.
  7. When documents containing Identifying Information are discarded, they will be placed inside a locked shred bin or immediately shredded using a mechanical cross cut shredding device. Locked shred bins are labeled “Confidential paper shredding and recycling.”
  8. Computing devices and all data storage devices are decommissioned consistent with all applicable University policies and procedures.

4. Related Policies and Procedures

This Program incorporates by reference the following internal policies and procedures:

  1. HIPAA Security Policies, appended hereto as Appendix A
  2. Gramm-Leach-Bliley Act Financial Information Security Plan, appended hereto as Appendix B
  3. University IT Division Password Policy
  4. University Policy #97, Data Security and Stewardship Policy
  5. University Policy #95, Data Network Security and Management
  6. University Policy #93, Electronic Email Policy
  7. University Policy #52, Use of Computers and Data Communications

IV. PROGRAM ADMINISTRATION

A. Oversight

Responsibility for oversight of the development, implementation, and administration of this Program lies with the Chief Information Officer (the Program Administrator), who also serves as Chair of the Data Security and Stewardship Committee. Program implementation and administration shall be assigned to the Data Security and Stewardship Committee. The Program Administrator shall be responsible for reviewing the reports referenced in Paragraph C below. Program compliance may be reviewed from time to time by the University Internal Auditor. The Program Administrator shall have the responsibility and authority to approve material revisions to this Program as may be necessary from time to time, consistent with Paragraph E below.

B. Staff Training

University employees responsible for implementing the Program shall be trained under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected.

C. Reports

Departments maintaining Covered Accounts shall report to the Program Administrator at least annually on compliance with this Program. The report shall address matters such as the effectiveness of the policies and procedures of the University in addressing the risk of Identity Theft in connection with the opening of Covered Accounts and with respect to existing Covered Accounts; Service Provider arrangements; significant incidents involving Identity Theft and the University’s response; and recommendations for material changes to the Program.

D. Service Provider Arrangements

In the event the University engages a Service Provider to perform an activity in connection with one or more Covered Accounts, the University will take the following steps to ensure the Service Provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of Identity Theft.

  1. Require, by signed contract, that Service Providers have such policies and procedures in place; and
  2. Require, by signed contract, that Service Providers review the University’s Program and report any Red Flags to the Program Administrator.

E. Program Review and Updates

The Program Administrator shall review and update this Program periodically to reflect changes in risks to individuals and the University from Identity Theft. In doing so, the Program Administrator shall consider the University’s experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the University’s business arrangements with other entities.

 


Appendix A - Western Carolina University, HIPAA Security Policies

HIPAA Security Policy #2 - Information Security Third Party Management Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

WCU mandates that all contractors and other third parties with access to WCU electronic protected health care information ("ePHI") follow the HIPAA Security Policies and related information security policies as a condition of the relationship. All contracts with third parties must contain provisions that require the contractor to implement appropriate information security safeguards and maintain confidentiality of protected health care information. The nature and scope of appropriate safeguards will be determined by WCU. All employees of the contractor are required to sign confidentiality and/or business associate agreements. Contractors that create, receive, maintain or transmit ePHI must provide WCU with written assurances that safeguards are in place.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The office of General Counsel is responsible for preparing agreements regarding safeguarding ePHI, and for reviewing and approving contracts pursuant to University Policy #62.

Each department manager is responsible for overseeing the activities of contractors that perform services for the department and ensuring that appropriate safeguards are in place.

PERFORMANCE MEASUREMENT

Ultimately the number of security incidents involving third parties entrusted with WCU ePHI determines the success or failure of this policy. It is important, therefore, that accurate information be collected on third party security practices and that policy violations or security incidents are reported to WCU.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

The designated Health Care Components of WCU may have contractual and business relationships with organizations and companies, which perform functions on behalf of WCU designated Health Care Components. To be a "business associate" under HIPAA, a contractor must:

  • Perform or assist in performing a function or activity, which involves the use or disclosure of individually identifiable health information; or
  • Perform activities, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing benefit management, and practice management; or
  • Provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to WCU

The following are not business associates or business associate relationships:

  • WCU workforce members, departments, and programs.
  • Medical providers providing treatment to individuals.
  • Another government agency performing enrollment or eligibility determinations involving WCU clients.
  • Contractual employees who work on-site at WCU and whose work is under the direct control of WCU may be considered members of the WCU workforce rather than business associates. These contractual employees must be trained on and comply with WCU privacy and data security policies and procedures.
  • Payment relationships
  • When the only information being disclosed is information that is de-identified or not individually identifiable health information.
    WCU designated Health Care Components may disclose an individual’s ePHI to a business associate and may allow a business associate to create or receive an individual’s ePHI only when WCU has entered into a written agreement with the business associate. The written agreement must contain the terms specified below and must provide satisfactory assurance that the business associate will appropriately safeguard the information.

Required Terms and Conditions

A contract between WCU and a business associate must include terms and conditions that:

  • Establish the permitted and required uses and disclosures of ePHI by the business associate. The contract may not authorize the business associate to use or further disclose the information obtained from WCU in a way that would violate the HIPAA Privacy Rule. However, the contract may permit the business associate to use and disclose ePHI for its own proper management and administration and to provide data aggregation services.
  • Provide that the business associate will: 
    • Not use or further disclose ePHI other than as permitted or required by the contract, or as required by law
    • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the ePHI
    • Report to WCU any use or disclosure not allowed by the contract of which it becomes aware, and any breaches of ePHI security
    • Ensure that any agents or subcontractors to which it provides ePHI agree to the same restrictions and conditions that apply to the business associate under the contract
    • Make ePHI available for inspection and copying to the individual in compliance with WCU policy and the HIPAA Privacy Rule
    • Make ePHI available for amendment and incorporate any amendments to ePHI in accordance with WCU policy and the HIPAA Privacy Rule
    • Make available the information required to provide an accounting of disclosures in accordance with WCU policy and the HIPAA Privacy Rule
    • Make its internal practices, books, and records relating to the use and disclosure of ePHI available to WCU and to the U.S. Department of Health and Human Services for the purpose of determining compliance with the HIPAA Privacy Rule
    • At termination of the contract, if feasible, return and destroy all ePHI that the business associate still maintains in any form, and keep no copies. If not feasible, continue to protect the information.
  • Authorize termination of the contract by WCU, if WCU determines the business associate has violated a material term of the contract.

If the business associate of WCU is another governmental entity:

  • WCU may enter into a memorandum of understanding or inter-agency agreement with the business associate which contains all the terms and conditions required by the HIPAA Privacy Rule, except that it may omit the termination provision if this is inconsistent with statutory obligations of either agency.
  • If a governmental business associate is required by law to perform a function or activity on behalf of WCU, WCU may disclose ePHI to the other agency to the extent necessary to comply with the legal requirement without a written contract or agreement:
    • If other law or regulations applicable to the other agency accomplish the same objectives; or
    • WCU documents its good faith attempts to obtain satisfactory assurances from the other agency in compliance with the business associate terms and conditions and the reasons such assurances cannot be obtained.

The contract between WCU and its business associate may permit the business associate to use ePHI received from WCU for the business associate’s own proper management and administration and to carry out its legal responsibilities. If a disclosure for these purposes is not required by law, the business associate must obtain reasonable assurances from the person to whom the information is disclosed that it will hold the information confidential and only use or further disclose it for the purpose of the disclosure, reporting any breach to the business associate.

Standard Contract Language

The WCU Privacy Officer and General Counsel have developed standard language for business associate addenda to contracts. Generally, WCU staff should not negotiate new language on their own. In most cases, there should be no deviations from the standard business associate addendum.

Business Associate Non-Compliance

If WCU knows of a pattern of activity or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation under the contract or inter-agency agreement, WCU must:

 

  • Ensure that the business associate takes reasonable steps to cure the breach or end the violation, including working with and providing consultation to the business associate; or
  • Terminate the contract, if such steps are unsuccessful; or
  • If termination is not feasible, report the problem to the U.S. Department of Health and Human Services.

Procedures for Identifying Business Associates

Each WCU designated Health Care Component must identify their business associates, contracts or inter-agency agreements with business associates in an annual written report to the HIPAA Privacy Officer.

Response to Business Associate inappropriate uses or disclosures

Business associate contracts will require the reporting to WCU of any known inappropriate or unlawful use or disclosure of ePHI within 1 to 3 days of the contractor’s discovery of the breach. WCU staff may also receive a client complaint or report about inappropriate uses or disclosures of information by business associates. Breaches of security of ePHI must be reported immediately. Any complaint or report of a security breach must be reported immediately to the HIPAA Privacy Officer.

The HIPAA Privacy Officer will contact General Counsel and other appropriate individuals, including the Computer Security Incident Response Team, as necessary and conduct an investigation. The HIPAA Privacy Officer will also require the business associate to conduct an internal investigation and report the results, within 5 business days of the discovery of the breach or unauthorized use or disclosure.

If determined necessary and appropriate, WCU will generate a “cure” letter outlining required remediation in order for the business associate to prevent further breaches or unauthorized uses or disclosures of PHI. If there is a breach of unencrypted ePHI, the Computer Security Incident Response Team shall consider the appropriate university action in light of applicable state and federal requirements.

In cases where contract compliance cannot be attained, WCU must terminate the contract, if feasible. If termination is not feasible, the HIPAA Privacy Officer will report the problem to the U.S. Department of Health and Human Services.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Business Associate Contracts and Other Arrangements [164.308(b)(1)] (Standard) - A covered entity, in accordance with Sec. 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with Sec. 164.314(a) that the business associate will appropriately safeguard the information. A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and Sec. 164.314(a).
  • Written Contract or Other Arrangement [164.308(b)(4)] (Required) - A covered entity is required to document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of Sec. 164.314(a)
  • Business Associate Contracts [164.314(a)(2)(i)] (Required) - The contract between a covered entity and a business associate must provide that the business associate will -- (A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart; (B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it; (C) Report to the covered entity any security incident of which it becomes aware; (D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.
  • Other Arrangements [164.314(a)(2)(ii)] (Required) - (A) When a covered entity and its business associate are both governmental entities, the covered entity is in compliance with paragraph (a)(1) of this section, if -- (1) It enters into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (a)(2)(i) of this section; or (2) Other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (a)(2)(i) of this section. (B) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate as specified in Sec. 160.103 of this subchapter to a covered entity, the covered entity may permit the business associate to create, receive, maintain, or transmit electronic protected health information on its behalf to the extent necessary to comply with the legal mandate without meeting the requirements of paragraph (a)(2)(i) of this section, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (a)(2)(ii)(A) of this section, and documents the attempt and the reasons that these assurances cannot be obtained. (C) The covered entity may omit from its other arrangements authorization of the termination of the contract by the covered entity, as required by paragraph (a)(2)(i)(D) of this section if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #3 - Information Access Management Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to implement all appropriate technical security safeguards necessary to protect the university's ePHI from all threats to confidentiality, integrity, and availability. These safeguards shall be designed to ensure that all users are uniquely identified, have access permissions consistent with those authorized, and are held accountable for the information they handle. These controls include mechanisms to encrypt and decrypt data in storage and in transit whenever justified by its sensitivity and criticality, password controls, session timeout, screen locking programs, and audit tools designed to monitor log-ins and record the activities performed during a session.

The Division of Information Technology, and department managers will routinely monitor all critical system activities, promptly remove users once their status in the organization changes, and ensure the integrity of all sensitive information. Internal Audit will review monitoring efforts and perform independent review of critical systems activities.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

Division of Information Technology systems personnel are responsible for creating, suspending, disabling, and deleting user accounts based on instructions from department managers/data stewards or Human Resources. They are also responsible for granting access permissions to users based on instructions from the appropriate authorizing manager. Additionally, these administrators, in conjunction with Internal Audit, are responsible for monitoring information system activity to identify potential security events, verifying that access permissions are being properly implemented, resetting passwords, and assisting users with difficulties involving system and network access.

Department managers are responsible for clearly articulating the access to be granted to employees in a way that can be translated into system access permissions.

The HIPAA Security Officer or his/her designee is responsible for identifying the appropriate applications, network paths, and/or data requiring encryption and implementing an effective encryption strategy with the assistance of the Division of Information Technology.

All employees are responsible for ensuring that data under their custody and control is properly safeguarded in accordance with university security policies and procedures and instructions from the Division of Information Technology.

PERFORMANCE MEASUREMENT

A variety of metrics are available for this policy in assessing its success or failure. They include: the percentage of users that have unique usernames; the percentage of department managers that have reviewed access rights of all employees on a quarterly basis; and the number of security logs that have been reviewed. Department managers should define metrics appropriate for their department or division based on what is feasible and most important to the university.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Access to Electronic Personal Health Information (ePHI)

  1. Access to WCU's ePHI and computer systems is restricted to appropriately authorized and identified individuals, in accordance with the WCU Health Services HIPPA Privacy Policies, University Policy #97, Data Security and Stewardship, and University Policy #95, Data Network Security and Management.
  2. Department managers are responsible for ensuring that ePHI access authorization is completed prior to granting access requests to computer systems, and that individual user accounts are established and regulated consistent with HIPAA Security Policy #6 and Division of Information Technology policy.
  3. Department managers shall re-evaluate access rights when a workforce member’s job assignments change. Modifications to a workforce member’s access to computer systems shall be authorized, documented, and processed in accordance with HIPAA Security Policy #6 and Division of Information Technology policy.
  4. Access rights shall be granted only for legitimate business purposes, and shall not exceed the minimum necessary for a workforce member’s assigned duties.
  5. Security configurations shall be maintained on computer systems to restrict access to ePHI to only those workforce members that have been granted access, or approved software applications.
  6. Only Division of Information Technology employees or administrators are permitted to create or change access control settings, and changes to access control settings must be documented.

User ID and Password Administration

  1. WCU will utilize user authentication mechanisms for access to information systems. Each individual user will have a unique user name or number sign-on.
  2. Workforce members shall not share assigned unique system identifiers (or login names) with any other person, including department managers, unless for authorized support purposes.
  3. Passwords shall meet minimum complexity requirements, and must be different from previous passwords used. Passwords must be changed at least once every 90 days. Passwords shall not be shared with any other person, including department managers.
  4. Password controls shall lockout login accounts after three unsuccessful login attempts, whenever possible. Electronic sessions will be automatically terminated after period of time deemed appropriate.
  5. Password protected screen savers shall be used on all systems when possible.

Encryption; Decryption

  1. Encryption of data, both in transit and at rest will be determined by the Data Steward, upon consultation with the Division of Information Technology, for certain data classifications, in accordance with University Policy #97, Data Security and Stewardship.
  2. Passwords shall be encrypted for storage and transmission whenever possible, or whenever deemed necessary by the risk analysis or evaluation in accordance with Division of Information Technology policy.

Termination of Computer System Access

  1. Termination of access to ePHI and computer systems shall be accomplished in accordance with Human Resources Exit Policies and Procedures for all workforce members separating from WCU.
  2. Upon separation from WCU, the Division of Information Technology, in cooperation with department managers and Human Resources, shall make necessary changes to security levels within a reasonable time; except in the case of adverse separation, which will be done immediately.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Automatic Logoff [164.312(a)(2)(iii)] (Addressable) - Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Access Control [164.312(a)(1)] (Standard) - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).
  • Unique User Identification [164.312(a)(2)(i)] (Required) - Assign a unique name and/or number for identifying and tracking user identity.
  • Encryption and Decryption [164.312(a)(2)(iv)] (Addressable) - Implement a mechanism to encrypt and decrypt electronic protected health information.
  • Encryption [164.312(e)(2)(ii)] (Addressable) - Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
  • Audit Controls [164.312(b)] (Standard)- Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  • Mechanism to Authenticate Electronic Protected Health Information [164.312(c)(2)] (Addressable) - Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
  • Person or Entity Authentication [164.312(d)] (Standard)- Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
  • Transmission Security [164.312(e)(1)] (Standard) - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
  • Integrity Controls [164.312(e)(2)(i)] (Addressable) - Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
  • Termination Procedures [164.308(a)(3)(ii)(C)] (Addressable) - Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or required by paragraph (a)(3)(ii)(B) of this section.
  • Access Establishment and Modification [164.308(a)(4)(ii)(C)] (Addressable) - Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.
  • Log-in Monitoring [164.308(a)(5)(ii)(C)] (Addressable) - Procedures for monitoring log-in attempts and reporting discrepancies.
  • Password Management [164.308(a)(5)(ii)(D)] (Addressable) - Procedures for creating, changing, and safeguarding passwords.
  • Information System Activity Review [164.308(a)(1)(ii)(D)] (Required) - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #4 - Information Security Training Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to provide to members of its workforce routine and periodic training regarding the privacy and security of ePHI and general security awareness. New employees will receive general security awareness training as well as department-specific computer/data security training as part of their orientation. This training shall encompass all areas of information security relevant to assigned duties. Supplemental training should be required of existing workforce members whenever significant technology changes occur, significant threats to information assets arise, job responsibilities change, or sufficient time has passed to require refresher sessions. This training can take the form of classroom training, online interactive training, online documentation, and paper-based manuals, flyers, posters, and other effective methods. To the extent possible, employees should be tested on their knowledge and required to receive more training when shown to be deficient.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

Department managers should periodically ensure that employees are adequately trained to use and/or manage computer systems in accordance with the HIPAA Privacy and Security Policies and all WCU data privacy and security policies.

The Data Security and Stewardship Committee, the Division of Information Technology, and the office of General Counsel shall assist Human Resources in the development of privacy and data security training materials and other resources appropriate to train workforce members.

All workforce members are responsible for obtaining the knowledge necessary to perform assigned duties in compliance with applicable WCU policy and law, and should inform their supervisor if they do not have the necessary information or training.

PERFORMANCE MEASUREMENT

Workforce members will be required to certify their completion of security awareness training and, in certain circumstances, post-training tests will be administered.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Dissemination of Policies and Procedures; Regulations

  1. The Data Security and Stewardship Committee shall coordinate with appropriate departments/divisions in the publication of data security policies and procedures and related regulatory or contractual requirements.
  2. Such information shall be readily available on the university's web page, and printed copies shall be maintained in departments/divisions as may be appropriate. Designated Health Care Components shall maintain printed copies of policies and procedures and regulations pertaining to HIPAA privacy and security.

Training Requirements

  1. The workforce in designated Health Care Components shall receive routine and periodic training on the HIPAA privacy and security regulations and applicable policies and procedures. The workforce shall also receive general security awareness training as prescribed by WCU policy.
  2. Training content will be established by the HIPAA Privacy and Security Officers, and approved by the Data Security and Stewardship Committee. The Department of Human Resources is responsible for overseeing the training means, schedule, and maintenance of attendance certification records. Department managers shall assure that workforce members complete the training as necessary.
  3. New employees who are required to complete the training will do so during standard departmental orientation programs, as well as orientation programs offered by Human Resources. Other new workforce members, specifically student workers, volunteers, and contractors, shall receive training arranged by department managers. All training will be appropriate to duty assignment and function. Training will be on-going as necessary, and shall occur at least annually for workforce members in designated Health Care Components.
  4. When significant changes in law, policy and/or procedure occur, the affected workforce will be trained as soon as possible after the changes. Workforce members will be provided with periodic general security awareness updates.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following Federal/State legal/regulatory and industry standards:

45 CFR Part 164, Subpart C, Security and Privacy

  • Security Awareness and Training [164.308(a)(5)(i)] (Standard) - Implement a security awareness and training program for all members of its workforce (including management)
  • Security Reminders [164.308(a)(5)(ii)(A)] (Addressable) - Periodic security updates.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #5 - Data Security Risk Analysis and Risk Management Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to develop and maintain a data security risk assessment and management program that includes routine and periodic assessments of threats and vulnerabilities, planning functions, and continuous monitoring of technology selections.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The Data Security and Stewardship Committee will assist department managers/data owners in determining the sensitivity and criticality of the data under the latter's control, and estimating the potential impact if the confidentiality, integrity, and availability of the data are compromised.

The IT Security Personnel is responsible for collecting information of possible threats and vulnerabilities relevant to data owned by WCU.

PERFORMANCE MEASUREMENT

The effectiveness of this policy will be measured by the extent to which risk assessments are conducted and resulting security posture. A successful risk assessment should be predictive, with some degree of accuracy, of the types of computer security incidents that threaten WCU.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Risk Assessment

  1. The Division of Information Technology, Internal Audit, and department managers shall conduct an initial assessment of existing computer systems, security, threats, and vulnerabilities. WCU shall implement recommended plans of correction that address vulnerabilities identified, consistent with the university's business imperatives and resources.
  2. The Data Security and Stewardship Committee shall develop policies and procedures related to routine and periodic ePHI security risk assessments. Implementation of these policies and procedures shall be the responsibility of department managers, with the oversight and assistance of IT security personnel and the HIPAA Security Officer.
  3. In addition to routine, periodic assessments, technical and non-technical risk assessments shall be conducted upon the occurrence of either internal or external events that may adversely affect the security and integrity of ePHI.
  4. Vulnerabilities shall be reported to the Internal Auditor and the Data Security and Stewardship Committee, and corrected as soon as possible.

Risk Management Program

The Data Security and Stewardship Committee, shall develop a data security risk management program that includes the following elements:

  1. Risk Identification and Assessment. WCU shall identify and assess external and internal risks to the security, confidentiality, and integrity of ePHI that could result in the unauthorized disclosure, use, alteration, destruction or other compromise of such information. The HIPAA Privacy and Security Officers and IT security personnel will establish procedures for identifying, assessing, and documenting such risks, including the evaluation of the effectiveness of WCU's policies, procedures, and practices relating to access to and use of ePHI.
  2. Information Systems and Information Processing and Disposal. IT security personnel will develop procedures to assess and monitor the risks of unintentional disclosure of ePHI, including the assessment of network and software design, information processing, and the storage, transmission and disposal of ePHI.
  3. Detecting, Preventing and Responding to Attacks. IT security personnel will evaluate procedures for and methods of detecting, preventing, and responding to attacks or other system failures, as well as procedures for coordinating responses to network attacks. He/she will also evaluate existing network access and security policies and procedures.
  4. Designing and Implementing Safeguards. IT security personnel will design and implement safeguards to control the risks identified through such assessments and to test or monitor the effectiveness of such safeguards. Such testing and monitoring may be accomplished through existing network monitoring and problem escalation procedures.
  5. Overseeing Service Providers. Department managers shall coordinate with the HIPAA Security Officer and those responsible for third-party service procurement activities to select and retain only those service providers that are capable of maintaining appropriate safeguards for ePHI. The Office of General Counsel will develop standard contractual provisions applicable to service providers that require such providers to develop, implement, and maintain appropriate safeguards.
  6. Employee Training and Management. The Data Security and Stewardship Committee shall coordinate with Human Resources to provide training to WCU workforce members regarding general security awareness and risk management initiatives to minimize the occurrence of computer security incidents.
  7. Revisions to Program. Revisions to the risk management program shall be made based on risk assessment activities, as well as any material changes to WCU's operations or external events that may adversely affect the security and integrity of ePHI or WCU's general security initiatives.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following Federal/State legal/regulatory and industry standards:

45 CFR Part 164, Subpart C, Security and Privacy

  • Risk Analysis [164.308(a)(1)(ii)(A)] (Required) - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
  • Security Management [164.308(a)(1)(i)] (Standard) - Implement policies and procedures to prevent, detect, contain, and correct security violations.
  • Integrity [164.312(c)(1)] (Standard) - Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
  • Risk Management [164.308(a)(1)(ii)(B)] (Required) - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #6 - Personnel Management and Sanction Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to ensure that workforce members who create, receive, maintain or transmit ePHI have the requisite authorizations and permissions prior to gaining access to computer systems and confidential data contained in the systems. Further, workforce members must comply with applicable ePHI and data security policies and procedures, as well as related regulatory and contractual requirements, or be subject to disciplinary sanctions.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The committee also assists department managers/data stewards in the appropriate classification of university data as either confidential, third-party confidential, internal or public in accordance with University Policy #97, Data Security and Stewardship.

Department managers/data stewards are responsible for granting appropriate workforce authorizations and permissions in accordance with applicable data classifications and communicating the same to the Division of Information Technology.

PERFORMANCE MANAGEMENT

The effectiveness of this policy will be evaluated by management reports and audits of (i) department attendance at mandatory training pertaining to information privacy and security policies; (ii) time required to disable accounts of separated workforce members; (iii) the number of times access permissions need to be adjusted; and, (iv) the number and nature of computer security incidents (as defined in HIPAA Security Policy #1).

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS/TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Data Classification

  1. With the assistance of the Data Security and Stewardship Committee, department managers/data stewards shall classify departmental data as confidential, third-party confidential, internal or public in accordance with University Policy #97, Data Security and Stewardship Policy.
  2. All data types in each administrative and academic department shall be classified to facilitate the assignment of data access authorizations/permissions.
  3. The classification of data types shall be routinely and periodically evaluated and changed if necessary based upon changes in department function or changes in applicable policy or law.

Authorization; Permissions

  1. Department managers/data stewards shall grant data access authorizations/permissions to workforce members based upon (i) specific data classifications, and (ii) the workforce member's need to access the data in the ordinary performance of his/her job responsibilities. Such authorization/permission must be granted prior to the workforce member's access to department data. Workforce members shall receive clear guidance from department managers/data stewards regarding the authorized activities for their job.
  2. Department managers/data stewards shall clearly identify authorizations/permissions to the Division of Information Technology prior to the workforce member's first work day or assignment to the department.
  3. Department managers/data stewards shall verify with the Division of Information Technology appropriate computer system access authorization by workforce members.
  4. The Division of Information Technology shall manage user authorizations/permissions, user accounts, and password procedures.

Modification and Termination of Authorizations/Permissions

  1. When workforce members leave the department or change positions within the department, computer system authorizations/permissions, physical access, and other privileges must be modified or terminated as appropriate. The department manager/data steward is responsible for communicating such changes prior to the effective date of the change to the Division of Information Technology.
  2. When a workforce member is separated from the university, the department manager/data steward shall immediately advise the Division of Information Technology, and the division shall make necessary changes to security levels within a reasonable time; except in the case of adverse separation, which will be done immediately. Human Resources shall ensure that computer systems access has been terminated as part of its exit procedures, and that all computing assets have been returned to the university.

Discipline; Sanctions

  1. Department managers/data stewards are responsible for ensuring that workforce members comply with all university data privacy and security policies and procedures, and for imposing appropriate discipline against workforce members who violate such policies and procedures. Disciplinary procedures shall be appropriate to the workforce member's classification (i.e., SPA employees shall be disciplined in accordance with University Policy #78, EPA non-faculty employees shall be disciplined in accordance with applicable policies relating to employees exempt from the state personnel act, faculty shall be disciplined in accordance with the Faculty Handbook, and student workers shall be disciplined in accordance with the Student Code of Conduct).
  2. Workforce members who violate WCU data privacy and security policies and procedures may be subject to discipline, which may include warnings, demotion, suspension or termination. Student workers may be subject to sanctions, which may include warnings, probation, discretionary or educational sanctions, suspension or expulsion.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Sanction Policy [164.308(a)(1)(ii)(C)] (Required) - Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
  • Assigned Security Responsibility [164.308(a)(2)] (Standard) - Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
  • Authorization and/or Supervision [164.308(a)(3)(ii)(A)] (Addressable) - Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
  • Workforce Security [164.308(a)(3)(i)] (Standard) - Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
  • Information Access Management [164.308(a)(4)(i)] (Standard) - Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
  • Access Authorization [164.308(a)(4)(ii)(B)] (Addressable) - Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
  • Workforce Clearance Procedure [164.308(a)(3)(ii)(B)] (Addressable) - Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
  • Termination Procedures [164.308(a)(3)(ii)(C)] (Addressable) - Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by paragraph (a)(3)(ii)(B) of this section.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #7 - Information Security Business Continuity and Disaster Recovery Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to provide for the continuous delivery of services to its constituencies in the event of significant disruption to normal operations caused by a variety of risks such as natural disaster, fire, power failure, power failure, theft or system/equipment failures. Continuous delivery of services shall be ensured by the development and implementation of written plans and procedures, specific to each operating division, to temporarily execute critical business processes by manual and other means.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

It is the responsibility of every operating division and their departments to assist the Division of Information Technology and other integral departments with the development, implementation, and monitoring of business continuity and disaster recovery plans for all critical processes and related applications or systems within the department’s control.

PERFORMANCE MEASUREMENT

The effectiveness of this policy will be measured by the extent to which all departments and major systems are included in business continuity and disaster recovery plans. The effectiveness of the plans will be measured by tests that will indicate the amount of time required to bring up a downed system, recreate a system using archived data, or restore operations to some extent at another location. Information security and integrity will be evaluated during the implementation of these plans.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Assessment of Business Risk

  1. Departments, with the assistance of the Division of Information Technology and others as may be appropriate, shall assess the department’s business function, impact, and risk to determine the department’s relative functional contribution to the larger university organization. Disaster recovery plans should be developed based upon the findings of these assessments.

Development of Disaster Recovery Plans

  1. Each operating division of WCU (i.e., Academic Affairs, Administration and Finance, Advancement and External Affairs, Chancellor’s Division, and Student Affairs) shall develop and maintain a copy of a business continuity/disaster recovery plan that includes each department or operating system within the division. Copies of these plans must be provided to the Division of Information Technology.
  2. Plans shall be developed with the assistance of the Division of Information Technology. All plans shall be reviewed by the Division of Information Technology as well as other stakeholders, such as Risk Management, Campus Police, and Administration and Finance, to ensure that critical resources are not over-subscribed in the event of an emergency and that plan proposed by one department does not impede or contradict other plans. Ultimately, plans must be approved by the Chancellor or the Chancellor’s designee, who will also have the responsibility and authority to implement the plans in the event of an emergency. In most circumstances, department/division plans should be integrated into the Division of Information Technology university recovery plan and the communication system recovery plan. Plans should take into account the sensitivity and criticality of the applications and data processed.
  3. The Division of Information Technology shall develop and maintain a university disaster recovery plan for centrally managed systems. The university disaster recovery plan should include contingency plans to ensure business continuity and information security provisions to ensure that data remains secure during emergency situations. Such security provisions should address administrative, technical, and physical security controls to be put in place for each contingency referenced in the plans, and should provide for facility access in emergency situations to retrieve and restore data.

Testing and Monitoring

  1. All business continuity/disaster recovery plans must be reviewed regularly and periodically, and critical components, such as communications technologies, must be tested at least annually. Plans should be updated as necessary based on changes in technology, changes to business processes, systems processing, organizational changes or the university’s external operating environment.

Communication and Training

  1. All plans should address communication plans and strategies to ensure that employees receive necessary information relating to plan implementation and emergency assignments. Plans should also address communication strategies to ensure that students receive necessary information pertaining to service disruptions or changes in service delivery.
  2. Department managers shall regularly and periodically review disaster recovery plans with employees. Training shall be documented.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Disaster Recovery Plan [164.308(a)(7)(ii)(B)] (Required) - Establish (and implement as needed) procedures to restore any loss of data.
  • Data Backup Plan [164.308(a)(7)(ii)(A)] (Required) – Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
  • Emergency Mode Operation Plan [164.308(a)(7)(ii)(C)] (Required) - Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
  • Contingency Plan [164.308(a)(7)(i)] (Standard) - Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
  • Testing and Revision Procedures [164.308(a)(7)(ii)(D)] (Required) - Implement procedures for periodic testing and revision of contingency plans.
  • Applications and Data Criticality Analysis [164.308(a)(7)(ii)(E)] (Addressable) - Assess the relative criticality of specific applications and data in support of other contingency plan components.
  • Contingency Operations [164.310(a)(2)(i)] (Addressable) - Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
  • Emergency Access Procedure [164.312(a)(2)(ii)] (Required) - Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #8 - Information Security Audit and Compliance Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy that the university's information technology systems, network operations, and policies and procedures are audited routinely and periodically by the Division of Information Technology, WCU Internal Audit, and the North Carolina State Auditor. Audits will include, at a minimum, compliance with applicable university policies and the detection of unauthorized access and sign-on attempts through specific audit software.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

WCU Internal Audit is responsible for regularly auditing information security controls and practices to ensure departmental compliance with applicable WCU information privacy and security policies and procedures.

IT security personnel are responsible for overseeing regular reviews of information system activities to verify compliance with security policies and procedures and identify risks to information assets.

PERFORMANCE MEASUREMENT

The Division of Information Technology and the Internal Auditor will submit periodic security audit reports to the Data Security and Stewardship Committee. Performance will be measured by the extent to which the audits are sufficient to assess policy compliance and to identify key risks.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Division of Information Technology Assessments

  1. IT security personnel shall routinely and periodically conduct assessments of division compliance with data security policies and procedures, as well as assessments of computer systems risks and vulnerabilities.
  2. IT security personnel shall provide written reports to the WCU Internal Auditor and the Data Security and Stewardship Committee detailing the findings and recommended corrective action pertaining to specific findings.

Office of Internal Audit

  1. The WCU Office of Internal Audit shall review the Division of Information Technology assessments documentation to confirm that adverse findings have been addressed.
  2. Internal Audit will work with the Division of Information Technology to conduct audits of the designated Health Care Components of WCU to review compliance with this and other applicable data security policies.
  3. Internal Audit will review any and all modifications to data security policies that are proposed by the Data Security and Stewardship Committee.

North Carolina Office of the State Auditor

  1. The IT Audit Division of the North Carolina Office of the State Auditor periodically conducts a campus-wide IT operating systems review of applications, hardware, software, and firmware, with a focus on financial systems integrity. The State Auditor may also conduct targeted reviews of compliance with all data security policies and procedures as warranted.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Evaluation [164.308(a)(8)] (Standard) - Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
  • Information System Activity Review [164.308(a)(1)(ii)(D)] (Required) - Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Audit Controls [164.312(b)] (Standard) - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #9 - Data Backup and Retention Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to ensure that all enterprise-level institutional data, including ePHI, is protected from primary data loss due to hardware failure, data corruption, network or facility inaccessibility, or emergency/disaster. The Division of Information Technology will develop and implement policies and procedures to ensure that the appropriate technical and physical security safeguards are in place to protect backup media both during normal operations and during emergencies.

It is WCU policy to maintain, archive, and destroy electronic data, including ePHI, in accordance with applicable university policies and state and federal record retention requirements, including the University of North Carolina General Records Retention and Disposition Schedule of 2007. Once the retention period has ended, all electronic copies must be destroyed in a manner that prevents their recovery in accordance with the HIPAA Media Handling and Disposal Policy and other applicable regulations and policies.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The Division of Information Technology is responsible for ensuring that information on production servers will be regularly backed up and copies kept off-site, based on business requirements for information recovery. Routine tests shall be conducted on backup media to ensure that operations personnel can restore data accurately and in a timely manner.

Department managers/data stewards are responsible for ensuring that all critical information is stored on media that is regularly backed up, preferably on network file and production servers. They are also responsible for authorizing restoration of any data under their authority and ensuring that data is retained or disposed in accordance with all applicable data retention requirements.

All members of the workforce are responsible for complying with applicable policies and procedures regarding maintenance, archival, and destruction of electronic information.

PERFORMANCE MEASUREMENT

The Division of Information Technology will assess the effectiveness of the data backup program. Metrics may include the time required to restore an individual file to its original location, the time required to restore a file to a different location, the time required to fully restore all data that resided on a failed system at the same location, and the time required to fully restore all data at an alternate location.

The Office of Internal Audit will review campus-wide compliance with applicable data retention and destruction policies.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Data Backup

  1. With the assistance of department managers/data owners/data stewards, the Division of Information Technology will develop and implement an information systems backup procedure that can create and maintain exact, retrievable copies of ePHI, in accordance with the division Policy Handbook and related procedures. The procedure shall address, at a minimum, the following: (1) an application and data criticality analysis conducted by department managers/data owners/data stewards to assess the relative criticality of specific applications and data within each respective department; (2) a contingency plan to respond to an emergency or critical occurrence (e.g., fire, vandalism, computer system failure, pandemic or natural disaster); (3) a disaster recovery plan to restore the loss of data in the event of a disaster; (4) facility access procedures to address facility access necessary for data recovery and restoration; (5) emergency access procedures for the retrieval of ePHI during an emergency; and (6) departmental downtime procedures to protect ePHI during emergency operations of business processes.
  2. Data backup procedure, contingency plan, and disaster recovery plan testing will be conducted to assess recovery capabilities, and revisions to plans and procedures will be made based upon the results of such assessments and operational imperatives.

Data Retention and Destruction

  1. Electronic data, including ePHI shall be maintained, archived, and destroyed in accordance with applicable university policies and state and federal record retention requirements, including the University of North Carolina General Records Retention and Disposition Schedule of 2007 and the WCU federal litigation guidelines regarding electronic evidence and e-discovery.
  2. When the applicable retention period has ended, all electronic data must be destroyed by the Division of Information Technology in a manner that prevents data recovery, in accordance with the HIPAA Media Handling and Disposal Policy, the division Policy Handbook, and other applicable regulations and policies.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Data Backup and Storage [164.310(d)(2)(iv)] (Addressable) - Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
  • Data Backup Plan [164.308(a)(7)(ii)(A)] (Required) - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #10 - Malicious Software and Acceptable Use Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy that employees who use the university IT systems/network do so in a manner that does not compromise systems/network security and integrity. In furtherance of this policy, WCU is committed to implement and maintain formal procedures to guard against, detect, and report malicious software.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The Division of Information Technology is responsible for installing anti-virus software on all university production servers and ensuring that the software is regularly updated. Additionally, the division is responsible for ensuring that all user workstations have a current version of anti-virus software before being connected to the network.

All employees are responsible for complying with university policies on acceptable use.

Department managers are responsible for monitoring employee compliance with university policies on acceptable use, and for imposing appropriate disciplinary measures for policy violations.

PERFORMANCE MEASUREMENT

Performance can be measured by the number of viruses and other malicious codes discovered on university systems/computers.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

  1. Workforce members in WCU Health Care Components must sign a certification indicating their acceptance and understanding of the University Policies pertaining to the acceptable use of computers and IT systems and email/Internet, specifically University Policies #52 and #67. Consistent with other University Policies and acceptable use guidelines that may be issued from time to time, Internet and email usage must be in support of business activities. Each user is responsible to ensure that the Internet is used in an effective, ethical, and lawful manner.
  2. Employees are prohibited from installing shareware, freeware, commercial, or personally developed software without authorization from their department manager and the Division of Information Technology. This includes Java and ActiveX-based programs run within a web browser. Additionally, employees are cautioned to limit their web surfing to reputable web sites and avoid opening e-mails and attachments received from unknown individuals.
  3. Confidential information must only be transmitted over the Internet when protected by approved encryption, in accordance with Division of Information Technology policies and procedures.
  4. Production servers and user personal computers will be protected from viruses and known malicious software, in accordance with Division of Information Technology policies and procedures in effect from time to time. The division will ensure that all software used for scanning for malicious viruses/software is updated in a timely manner.
  5. All computer equipment connected to the WCU network/system shall be up to date with the manufacturer’s operating systems security software patches as authorized the division.
  6. All software installed on university computers must be authorized by the division.
  7. WCU workforce suspecting malicious software infections must immediately report their suspicions to their Department manager and to the Division of Information Technology.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Protection from Malicious Software [164.308(a)(5)(ii)(B)] (Addressable) - Procedures for guarding against, detecting, and reporting malicious software.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #11 - Media Handling and Disposal Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy that devices and media be sufficiently protected to prevent unauthorized use, modification, disclosure, destruction, damage, theft, unauthorized handling, and denial of service. Storage, disposal, re-use, transmission, and transportation of electronic data, including ePHI, are to be conducted in a fashion that protects the data involved from unintended disclosure. Disposal of media containing ePHI should be effectively erased or destroyed by the Division of Information Technology prior to leaving the possession of the department.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The Division of Information Technology is responsible for (i) defining the appropriate method of disposing of electronic media, (ii) disposing electronic media, and (iii) erasing electronic media for re-use, if appropriate.

Department managers are responsible for authorizing media re-use and communicating the authorization to the Division of Information Technology. Managers are also responsible for disposing of electronic media, consistent with applicable policy, through the Division of Information Technology.

Workforce members are responsible for safeguarding all electronic media containing university data/information.

PERFORMANCE MEASUREMENT

The effectiveness of this policy will be shown by the number of incidents resulting from the unauthorized disclosure of electronic media containing ePHI or other confidential university data/information.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

Hardware/firmware Containing ePHI

  1. Departments shall follow procedures in the Division of Information Technology Policy Handbook, University Policy #67, and Department of Purchasing state surplus property policies regarding the acquisition, receipt, removal, re-use, and disposal of biomedical or non-biomedical hardware/firmware that contains ePHI and other confidential information.
  2. Hardware/firmware purchased by the university shall be received by the Division of Information Technology. After receipt, hardware/firmware shall be controlled and accounted for by the Administration and Finance fixed asset system and Department managers.
  3. Department managers shall create and maintain a record of hardware/firmware containing ePHI in their department, and record the movements of all hardware and electronic media and the workforce member responsible for the device(s)/media.
  4. Prior to the re-location and/or re-use of any university hardware/firmware containing ePHI, Department managers shall contact the Division of Information Technology to assess the classification of the electronic data contained on the device(s) and to review applicable access management policies. If authorized by the Division of Information Technology, the device(s) may be relocated and/or re-used, and the Department manager shall forward related records to the university fixed asset system.
  5. Department managers shall not, in any circumstance, directly dispose of hardware/firmware containing ePHI under university state surplus property procedures or other procedures. The Division of Information Technology is responsible for disposal of all hardware/firmware. Prior to disposal, the Department manager shall retrieve an exact copy of ePHI contained on the device(s).

Electronic Media Containing ePHI

  1. Electronic media containing ePHI shall be physically destroyed when no longer used. Under no circumstances shall electronic media containing ePHI be re-used.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Media Disposal [164.310(d)(2)(i)] (Required) - Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
  • Media Re-use [164.310(d)(2)(ii)] (Required) - Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
  • Accountability [164.310(d)(2)(iii)] (Addressable) - Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
  • Device and Media Controls [164.310(d)(1)] (Standard) - Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Appendix A - Western Carolina University, HIPAA Security Policies
HIPAA Security Policy #12 - Facility and Equipment Security Policy

Initially approved: November 28, 2007
Administering Offices: Division of Information Technology
Health Services

POLICY

It is WCU policy to implement and administer physical security controls on the campus as well as other locations/facilities supporting university operations to prevent the unauthorized access, damage, and interference to physical assets and information assets, including ePHI.

SCOPE

This policy applies to all members of the workforce in the designated Health Care Components of WCU as set forth in the WCU HIPAA Privacy Manual, "Hybrid Entity Policy". For purposes of this policy, "members of the workforce" include employees, volunteers, student workers, and contractors. The Health Care Components of WCU are Health Services, Counseling and Psychological Services, Speech and Hearing Center, Internal Audit, Office of General Counsel, Risk Management, and Division of Information Technology.

ACCOUNTABILITY

The Data Security and Stewardship Committee, comprised of the FERPA officer, HIPAA officers, GLBA officers, the CIO, the IT Security Analyst, the Director of Networking, the Director of Institutional Research, and representatives from the offices of General Counsel, Internal Audit, Advancement and Public Relations, and Administration and Finance, is responsible for the development, implementation, communication, and oversight of data security policies.

The Division of Information Technology is responsible for identifying all information technology assets, classifying the equipment based on the sensitivity and criticality of the information that is stored, processed, or transmitted by it, and recommending to department managers the appropriate physical security safeguards to be put in place.

All employees are responsible for ensuring that the equipment used by them is properly accounted for by the Division of Information Technology.

Department managers are responsible for ensuring that physical safeguards are put in place in accordance with the requirements of the Division of Information Technology.

PERFORMANCE MEASUREMENT

This policy will be evaluated against the nature and number of physical security compromises that occur. Physical security compromises can range from low impact events such as the existence of unescorted visitors in the building during working hours to actual break-ins where equipment is damaged, destroyed, or stolen.

ENFORCEMENT

Compliance with this policy will be monitored by department manager surveillance and workforce member complaints. Internal Audit will periodically review policy compliance. Department managers are responsible for ensuring compliance with this policy and that the appropriate corrective action is taken, which may include the implementation of additional controls, employee training, and disciplinary action. Employee performance evaluations will include policy compliance.

Failure to comply with this policy may result in the imposition of fines, or other significant penalties against WCU, and disciplinary action against employees.

COMMUNICATIONS / TRAINING

The HIPAA Security Policies contain all the applicable WCU policies and procedures that ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained or transmitted by the designated Health Care Components of WCU. All WCU workforce members who work in designated Health Care Components of WCU must be knowledgeable of the HIPAA Security Policies and related data security policies. Every designated Health Care Component of WCU is required to maintain a copy of the HIPAA Security Policies and supporting information security policies for reference and training purposes.

The Data Security and Stewardship Committee is responsible for developing and disseminating all WCU data security policies and procedures. Updates to the HIPAA Security Policies and supporting information security policies will be communicated to all department managers, and department managers are expected to update the department copies accordingly and inform their workforce of changes. Computer security incident training and general security awareness training will be conducted routinely and periodically. Training will be documented.

PROCEDURES

IT Facilities

Consistent with the Division of Information Technology Policy Handbook and University Policy #95, Data Network Security and Management, the division shall develop and implement procedures for safeguarding IT facilities and equipment from unauthorized physical access, tampering, or theft. Such procedures should include the following:

  1. Production servers must be protected in computer rooms that are alarmed and monitored, with access restricted to authorized personnel only.
  2. Doors to computer and telecommunications rooms must be kept locked.
  3. Closets containing telecommunication wiring and other distributed equipment must be kept securely locked.
  4. Power switches to production servers should be protected from unauthorized and accidental access.
  5. All source media for production servers, applications, and license keys must be clearly labeled and stored in a secure location.
  6. Division of Information Technology staff must ensure that network devices, such as routers and switches, are protected from inappropriate access.
  7. Individuals entering and exiting computer rooms should be recorded, identifying the individual and the time and point of entry and departure. Logs shall be maintained for review.
  8. Visitors will only be allowed entry to computer rooms after producing adequate identification and an appropriate department employee has given authorization.
  9. Visitors must be escorted when in computer rooms or other restricted areas.
  10. Any site or building passes or codes must be revoked or changed by the employee’s supervisor immediately upon termination, resignation, or separation from a project.
  11. Any maintenance/service performed on the facility should be documented, including date, time, vendor, vendor employee name, reason for access, emergency contact for off-hours accessibility. Logs shall be maintained for review.

Designated Health Care Components

  1. The Division of Information Technology will assist each designated Health Care Component in the development and implementation of access control procedures to safeguard facilities and equipment.
  2. Department managers in designated Health Care Components shall be responsible for documenting the specific location of ePHI, and implementing appropriate procedures to secure department specific servers and record rooms that contain ePHI and other confidential information. Access may be restricted by the use of restricted room keys, electronic key pads or card reader type locks.
  3. Workforce member workstations should be physically secured as appropriate to the sensitivity and criticality of information stored, processed, or transmitted by the workstation. Such security may include locating workstations in secured work areas, utilizing locking devices that secure workstation to the desk, and monitoring work areas.
  4. Workforce members are expected to use workstations in a manner that ensures their continued physical protection.

Other On/Off Campus Facilities

  1. All departments shall comply with applicable Information Technology security policies and procedures as well as general data security policies and procedures.
  2. The Division of Information Technology will assist units located outside the principal campus to develop and implement appropriate access and security protection policies and procedures.
  3. Workforce member workstations should be physically secured as appropriate to the sensitivity and criticality of information stored, processed, or transmitted by the workstation. Such security may include locating workstations in secured work areas, utilizing locking devices that secure workstation to the desk, and monitoring work areas.
  4. Workforce members are expected to use workstations in a manner that ensures their continued physical protection.

APPROVAL PROCESS

The Data Security and Stewardship Committee oversees the development and implementation of WCU data security policies and practices. The Executive Council has final approval authority over all information security policies, standards, guidelines, and procedures.

REVIEW AND REVISIONS

The Data Security and Stewardship Committee is responsible to regularly review and revise this policy as may be appropriate. There may be events that trigger additional reviews such as changes in laws or regulations, information security best practices, threat models, or changes in business processes.

REGULATORY AUTHORITIES / INDUSTRY STANDARDS

This policy satisfies the following regulatory requirements:

45 CFR Part 164, Subpart C, Security and Privacy

  • Facility Security Plan [164.310(a)(2)(ii)] (Addressable) - Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • Facility Access Controls [164.310(a)(1)] (Standard) - Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
  • Access Control and Validation Procedures [164.310(a)(2)(iii)] (Addressable) - Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
  • Maintenance Records [164.310(a)(2)(iv)] (Addressable) - Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
  • Workstation Use [164.310(b)] (Standard) - Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
  • Workstation Security [164.310(c)] (Standard) - Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Appendix B - Western Carolina University, Gramm-Leach-Bliley Act
Financial Information Security Plan

POLICY

It is Western Carolina University (WCU) policy to ensure the integrity, security, and confidentiality of student financial information as required by implementing regulations of the Gramm-Leach-Bliley Act (GLBA).

PLAN

1. Definitions

“Covered data and information” for purposes of this plan includes student financial information, as defined below, required to be protected under GLBA. Additionally, WCU, as a matter of policy and other legal and contractual obligations, includes in this definition any credit card information received in the course of business by WCU, whether or not such credit card information is covered by GLBA. Covered data includes data maintained in any media.

“Student financial information” is that information obtained by WCU from a student (sometimes also referred to as the “customer”) in the process of offering a financial product or service, or such information provided to WCU by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

2. Covered WCU Offices

The following WCU offices and activities are covered for purposes of this plan:

  • Athletics – administration of student athlete scholarships
  • One Stop – administration of emergency loans and access to student financial data
  • Controller – administration of student loans and access to student financial data
  • Student Accounts/Perkins Loan Office - administration of student loans and access to student financial data
  • WCU Cashier - access to student financial data
  • Financial Aid Office – administration of student loans (FFEL/Stafford loans and PLUS loans) and Pell grants and access to student financial data
  • Office of Legal Counsel - access to student financial data
  • Office of Internal Audit - access to student financial data
  • Division of Information Technology - access to student financial data
  • Associate Vice Chancellor for Finance - access to student financial data

3. Designation of GLBA Security Plan Coordinators

The Systems Accountant in the Division of Administration and Finance and the Systems Analyst in the Division of Information Technology are designated as co-GLBA Security Plan Coordinators. These individuals are responsible for overseeing the implementation and oversight of this plan, in conjunction with the WCU Data Security and Stewardship Committee.

4. Risk Identification and Assessment

The managers of each covered office, with the assistance of the GLBA Security Plan Coordinators and the Division of Information Technology, shall conduct an initial assessment of existing computer systems security, threats, and vulnerabilities. Covered offices shall also conduct an initial risk assessment relative to covered data and information maintained in non-electronic media. The initial risk assessment must identify and assess external and internal risks to the security, confidentiality, and integrity of covered data and information that could result in the unauthorized disclosure, use, alteration, destruction or other compromise of such information.

Covered offices, with the assistance of the GLBA Security Plan Coordinators, shall establish procedures for identifying, assessing, addressing, monitoring, and documenting such risks. Such procedures should be consistent with existing university procedures pertaining to data security, including relevant parts of the HIPAA Security Policies, the Division of Information Technology Policy Handbook, and University Policies 52 (Policy on the Use of Computers and Data Communications), 67 (Personal Computers), 95 (Data Network Security and Management), and 97 (Data Security and Stewardship Policy).
Following the initial risk assessment, risk assessments shall be conducted on a routine and periodic basis. Such assessments shall monitor and evaluate the sufficiency of any administrative, technical, and physical safeguards put in place to mitigate system risks. Security systems shall be regularly tested and modified when necessary. Compliance with this plan will be periodically reviewed by Internal Audit.

5. Security of Information Systems

Access to WCU information systems and covered data and information is limited to those employees who have a business reason to know such information. Each employee is assigned a user name and password consistent with existing policies regarding information access management and personnel management. Covered data and information, specifically including account numbers, account balances, and transactional information, are available only to WCU employees in the covered offices listed above.

WCU will take reasonable and appropriate measures to ensure that all covered data and information is secure, and to safeguard the integrity of data in storage and transmission consistent with existing Division of Information Technology policies and procedures. When commercially reasonable, encryption technology will be utilized for both storage and transmission. All covered data and information will be maintained on servers that are behind WCU’s firewalls, and all firewall software and hardware maintained by the Division of Information Technology will be kept current.

6. Detection, Prevention, Response to Information Systems Intrusions

WCU will maintain effective technical systems to prevent, detect, and respond to attacks, intrusions, and other information system failures. Such systems shall be developed in accordance with existing policies pertaining to malicious software and acceptable use, data security risk analysis, information security audits, business continuity, data backup and retention, and facility and equipment security. Such systems may include: maintaining and implementing current anti-virus software; obtaining and installing current patches and corrections to software vulnerabilities; maintaining appropriate filtering or firewall technologies, alerting those with access to covered data and information of security threats; and backing up data regularly and storing back up data off site. The GLBA Security Plan Coordinators shall work with Internal Audit to periodically review compliance with this plan and the sufficiency of detection and monitoring activities.

7. Employee Training and Management

Safeguards for the security of covered data and information include the management and training of employees who are authorized to access such information. WCU has adopted comprehensive policies regarding information security training and personnel management/sanction, which are referenced in paragraph 4 above. The GLBA Security Plan Coordinators will work with the Data Security and Stewardship Committee and Human Resources to ensure that appropriate training is provided to all employees who have access to covered data and information. Training will include education on this plan and all other relevant information security policies and procedures.

8. Physical Safeguards

The physical security of electronic covered data and information shall be ensured by limiting access to only those employees who have a business reason to know such information. Additionally, pursuant to university information security policies, system and network equipment and other physical assets are locked, alarmed, and monitored. Electronic media containing covered data and information shall be maintained and disposed of in accordance with existing policies pertaining to record retention and media handling and disposal.
Loan files, account information, and other paper documents are kept in file cabinets, rooms or vaults that are locked each night. Only authorized employees know combinations and the location of keys. Paper documents that contain covered data and information shall be maintained in accordance with existing policies pertaining to record retention and shall be shredded at the time of disposal.

9. Selection and Oversight of Contractors/Service Providers

In the ordinary course of business, WCU may from time to time appropriately share covered data and information with third parties. The university will take reasonable steps to select and retain appropriate service providers, and shall require by contract that such providers maintain safeguards for the security, confidentiality, and integrity of covered data and information that they receive.

 

Copyright by Western Carolina University      •      Cullowhee, NC 28723      •      828.227.7211      •      Contact WCU
Maintained by the Office of Web Services      •      Directions      •      Campus Map      •      Emergency Information      •      Text-Only

Office of Web Services