Laserfiche WebLink
procedures described in this policy unless The Plan(s) Security Officer determines it is <br />necessary for plan administration purposes to store ePHI on portable workstations. <br />It has been determined that it is not reasonable to develop automatic logoff procedures or data <br />encryption mechanisms specifically for systems used to access ePHI. Automatic logoff and data <br />encryption will be used for systems used to access ePHI if exiting existing Plan Sponsor system <br />access policies and procedures include these capabilities and requirements. <br />When ePHI is accessed by using systems that contain audit control capabilities, The Plan(s) will <br />periodically review audit reports to assist in determining if a security violation has occurred. <br />Employees who have been granted access to ePHI according to The Plan(s) policies and <br />procedures will be subject to The Plan's sanction policy if they allow unauthorized access to <br />ePHI by circumventing access control (e.g. sharing their unique login LD. and password). <br />10. Device and Media Controls and Integrity of Data <br />[§164.310(d)(1), §164.310(d)(2)(i), §164.310(d)(2)(ii), §164.310(d)(2)(iii), §164.312(c)(1) <br />Any ePHI stored by The Plan(s) in electronic storage media will be subject to the following <br />procedures to ensure that the ePHI is not inappropriately used. <br />• All hardware, storage devices, and electronic media which contains or contained ePHI will be <br />erased, re-formatted or rendered unusable in a technically sufficient manner prior to disposal, or <br />re-use for other purposes, to assure no unauthorized access to ePHI is possible in the future. <br />• The Plan's SecuriryOfficial will be responsible to ensure that electronic media is controlled in <br />accordance with this policy and maintain any reasonable documentation necessary. <br />1t has been determined that it is not reasonable or necessary to implement technical procedures <br />for automatic data integrity checks for systems used to access ePHI alone. The Plan(s) will <br />use existing Plan Sponsor data integrity procedures and policies, if available and reasonable, to <br />determine if ePHI has been altered or destroyed in an unauthorized manner. <br />11. Transmission Security <br />[§164.312(e)(1), §164.312(e)(2)(i)] <br />The Plan(s) will implement the following measures to protect ePHI that is being transmitted <br />over electronic communications networks including the Internet. <br />It has been determined that it is not reasonable or necessary to implement transmission integrity <br />controk or email and electronic communication encryption procedures only for systems used to <br />access or transmit ePHI. The Plan(s) will use existing Plan Sponsor transmission integrity and <br />email and communication encryption procedures, if available and reasonable, to protect ePHI <br />transmitted over electronic networks. <br />If the Plan Sponsor does not have existing transmission integrity or encryption procedures <br />available, The Plan will implement the following procedures to protect ePHI transmitted over <br />electronic networks: <br />a. ePHI sent via email will be contained in a separate file sent as an attachment whenever <br />reasonable. Files containing ePHI will be protected bya password when possible. Passwords <br />necessary to access the file will be sent to the recipient via separate communication. <br />12. Group Health Plan Document Requirements <br />