Written Information Security Plan

Each covered entity is required by HIPAA/HITECH law to evaluate security risks and solutions in relation to the size, scope and nature of the business and the attendant risks of unauthorized access to or use of protected health information.

TechWorks Inc has developed this template as part of a tailored seminar presentation and as a sample for use by authorized businesses, not as a definitively sufficient “WISP” for any business. However, any business is welcome and encouraged to contact Bucha
nan & Associates for more information
about an affordable way to obtain authorization to
use the template, and for any relevant updates
in this rapidly evolving area of law.

[INSERT COMPANY OR ENTITY NAME]
[NOTE: SELECT CAREFULLY WHERE MULTIPLE ENTITIES CO-
OPERATE]
WRITTEN INFORMATION SECURITY PLAN
[INSERT DATE]
[NOTE: If any element of the following Sample/Temp
late is not operationally feasible or
appropriate for a particular business, be sure to d
elete that element from the company-
specific WISP. Otherwise, it would be a liability
exposure to establish a written policy and
not to comply with it].

I. OBJECTIVE: The objective of [INSERT COMPANY NAME] in the development and implementation of this comprehensive written information security program
(“WISP”), is to create effective administrative, technical and physical safeguards for the protection health information of their patients.

The WISP sets forth our procedure for evaluating and addressing our electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting protected health information

For purposes of this WISP, “personal information” i
s as defined in the regulations: a
Massachusetts resident’s first name and last name o
r first initial and last name in combination
with any one or more of the following data elements
that relate to such resident: (a) Social
Security number; (b) driver’s license number or sta
te-issued identification card number; or (c)
financial account number, or credit or debit card n
umber, with or without any required security
code, access code, personal identification number o
r password, that would permit access to a
resident’s financial account; provided, however, th
at “personal information” shall not include
information that is lawfully obtained from publicly
available information, or from federal, state
or local government records lawfully made available
to the general public.
II. PURPOSE:
The purpose of the WISP is to better: (a) ensure th
e security and confidentiality of personal
information; (b) protect against any reasonably ant
icipated threats or hazards to the security or
integrity of such information; and (c) protect agai
nst unauthorized access to or use of such
information in a manner that creates a substantial
risk of identity theft or fraud.
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
3
III. SCOPE:
In formulating and implementing the WISP, [INSERT C
OMPANY NAME] has addressed and
incorporated the following protocols:
(1) identified reasonably foreseeable internal and
external risks to the security, confidentiality,
and/or integrity of any electronic, paper or other
records containing personal information;
(2) assessed the likelihood and potential damage of
these threats, taking into consideration the
sensitivity of the personal information;
(3) evaluated the sufficiency of existing policies,
procedures, customer information systems, and
other safeguards in place to control risks;
(4) designed and implemented a WISP that puts safeg
uards in place to minimize those risks,
consistent with the requirements of 201 CMR 17.00;
and
(5) implemented regular monitoring of the effective
ness of those safeguards.
IV. DATA SECURITY COORDINATOR:
[INSERT COMPANY NAME] has designated [INSERT EMPLOY
EE NAME] to implement,
supervise and maintain the WISP. This designated em
ployee (the “Data Security Coordinator”)
will be responsible for the following:
a. Implementation of the WISP including all provisi
ons outlined in Section VII: Daily
Operational Protocol;
b. Training of all employees;
c. Regular testing of the WISP’s safeguards;
d. Evaluating the ability of any of our third party
service providers to implement and maintain
appropriate security measures for the personal info
rmation to which we have permitted them
access, and requiring such third party service prov
iders by contract to implement and maintain
appropriate security measures;
e. Reviewing the scope of the security measures in
the WISP at least annually, or whenever there
is a material change in our business practices that
may implicate the security or integrity of
records containing personal information;
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
4
f. Conducting an annual training session for all ow
ners, managers, employees and independent
contractors, including temporary and contract emplo
yees who have access to personal information on
the elements of the WISP. All attendees at such tra
ining sessions are required to certify their
attendance at the training, and their familiarity w
ith our requirements for ensuring the protection of
personal information.
V. INTERNAL RISK MITIGATION POLICIES:
To guard against internal risks to the security, co
nfidentiality, and/or integrity of any electronic,
paper or other records containing personal informat
ion, and evaluating and improving, where
necessary, the effectiveness of the current safegua
rds for limiting such risks, the following
measures are mandatory and are effective immediatel
y:

We will only collect personal information of client
s, customers or employees that is
necessary to accomplish our legitimate business tra
nsactions or to comply with any and all
federal, state or local regulations.

Access to records containing personal information s
hall be limited to those employees
whose duties, relevant to their job description, ha
ve a legitimate need to access said
records, and only for this legitimate job-related p
urpose.

Written and electronic records containing personal
information shall be securely destroyed
or deleted at the earliest opportunity consistent w
ith business needs or legal retention
requirements. Our frequent business records needs
and associated retention and secure
destruction periods are included in Attachment A: C
ommon Business Record Needs
[
to be
completed by Company after evaluating usual busines
s record needs
].

A copy of the WISP is to be distributed to each cur
rent employee and to each new
employee on the beginning date of their employment.
It shall be the employee’s
responsibility for acknowledging in writing, by sig
ning the attached sheet, that he/she has
received a copy of the WISP and will abide by its p
rovisions. Employees are encouraged
and invited to advise the WISP Data Security Coordi
nator of any activities or operations
which appear to pose risks to the security of perso
nal information. If the Data Security
Coordinator is him or herself involved with these r
isks, employees are encouraged and
invited to advise any other manager or supervisor o
r business owner.

A training session for all current employees will b
e held on [INSERT DATE] to detail the
provisions of the WISP.

All employment contracts, where applicable, will be
amended to require all employees to
comply with the provisions of the WISP and to prohi
bit any nonconforming use of
personal data as defined by the WISP
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
5

Terminated employees must return all records contai
ning personal data, in any form, in
their possession at the time of termination. This
includes all data stored on any portable
device and any device owned directly by the termina
ted employee

A terminated employee’s physical and electronic acc
ess to records containing personal
information shall be restricted at the time of term
ination. This shall include remote
electronic access to personal records, voicemail, i
nternet, and email access. All keys,
keycards, access devices, badges, company IDs, busi
ness cards, and the like shall be
surrendered at the time of termination.

Disciplinary action will be applicable to violation
s of the WISP, irrespective of whether
personal data was actually accessed or used without
authorization.

All security measures including the WISP shall be r
eviewed at least annually beginning
March 1, 2010 to ensure that the policies contained
in the WISP are adequate meet all
applicable federal and state regulations.

Should our business practices change in a way that
impacts the collection, storage, and/or
transportation of records containing personal infor
mation the WISP will be reviewed to
ensure that the policies contained in the WISP are
adequate meet all applicable federal and
state regulations.

The Data Security Coordinator or his/her designee s
hall be responsible for all review and
modifications of the WISP and shall fully consult a
nd apprise management of all reviews
including any recommendations for improves security
arising from the review.

The Data Security Coordinator shall maintain a secu
red and confidential master list of all
lock combinations, passwords, and keys. The list w
ill identify which employee possess
keys, keycards, or other access devices and that on
ly approved employee have been
provided access credentials

The Data Security Coordinator or his/her designee s
hall ensure that access to personal
information in restricted to approved and active us
er accounts.

Current employees’ user ID’s and passwords shall co
nform to accepted security standards.
All passwords shall be changed at least annually, m
ore often as needed (e.g. seasonally).

Employees are required to report suspicious or unau
thorized use of personal information
to a supervisor or the Data Security Coordinator

Whenever there is an incident that requires notific
ation pursuant to the Security Breach
Notifications of Massachusetts General Law Chapter
93H: “Security Breaches” (copy
attached), the Data Security Coordinator shall host
a mandatory post-incident review of
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
6
events and actions taken, if any, in order to deter
mine how to alter security practices to
better safeguard personal information
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
7
VI. EXTERNAL RISK MITIGATION POLICIES:

Firewall protection, operating system security patc
hes, and all software products shall
be reasonably up-to-date and installed on any compu
ter that stores or processes
personal information

Personal information shall not be removed from the
business premises in electronic or
written form absent legitimate business need and us
e of reasonable security measures,
as described in this policy

All system security software including, anti-virus,
anti-malware, and internet security
shall be reasonably up-to-date and installed on any
computer that stores or processes
personal information.

There shall be secure user authentication protocols
in place that:
o
Control user ID and other identifiers;
o
Assigns passwords in a manner that conforms to acce
pted security standards,
or applies use of unique identifier technologies;
o
Control passwords to ensure that password informati
on is secure.
VII. DAILY OPERATIONAL PROTOCOL
This section of our WISP outlines our daily efforts
to minimize security risks to any computer
system that processes or stores personal informatio
n, ensures that physical files containing
personal information are reasonable secured and dev
elops daily employee practices designed to
minimize access and security risks to personal info
rmation of our clients and/or customers and
employees.
The Daily Operational Protocol is effective [
March 1, 2010]
and shall be reviewed and modified
as deemed necessary at a meeting of the Data Securi
ty Coordinator and personnel responsible
and/or authorized for the security of personal info
rmation. The review meeting shall take place
on or before [
February 28, 2011]
. Any modifications to the Daily Operational Proto
col shall be
published in an updated version of the WISP. At th
e time of publication, a copy of the WISP
shall be distributed to all current employees and t
o new hires on their date of employment.
A.
Recordkeeping Protocol:
We will only collect personal information of clie
nts
and customers and employees that is necessary to ac
complish our legitimate
business transactions or to comply with any and all
federal and state and local
laws.

Within 30 days of the publication of the WISP or an
y update the Data Security
Coordinator or his/her designee shall perform an au
dit of all relevant company
records to determine which records contain personal
information, assign those
files to the appropriate secured storage location,
and to redact, expunge or
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
8
otherwise eliminate all unnecessary personal inform
ation in a manner
consistent with the WISP

Any personal information stored shall be disposed o
f when no longer needed
for business purposes or required by law for storag
e. Disposal methods must
be consistent with those prescribed by the WISP

Any paper files containing personal information of
clients or employees shall
be stored in a locked filing cabinet. Only departm
ent heads and the Data
Security Coordinator will be assigned keys to filin
g cabinets and only those
individuals are allowed access to the paper files.
Individual files may be
assigned to employees on an as-needed basis by the
department supervisor.

All employees are prohibited from keeping unsecured
paper files containing
personal information in their work area when they a
re not present (e.g. lunch
breaks).

At the end of the day, all files containing persona
l information are to be
returned to the locked filing cabinet by department
heads or the Data Security
Coordinator.

Paper or electronically stored records containing p
ersonal information shall be
disposed of in a manner that complies with M.G.L. c
. 93I sec. 2 (See
Attachment D: Standards for disposal of records con
taining personal
information; disposal by third party; enforcement)
and as follows:
(a) paper documents containing personal information
shall be either redacted,
burned, pulverized or shredded so that personal dat
a cannot practicably be read
or reconstructed;
(b) electronic media and other non-paper media cont
aining personal
information shall be destroyed or erased so that pe
rsonal information cannot
practicably be read or reconstructed.

The following employees are authorized to access an
d assign to other
employees files containing personal information:
Employee Name
Department

Electronic records containing personal information
shall not be stored or
transported on any portable electronic device, sent
or transmitted electronically
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
9
to any portable device, or sent or transported elec
tronically to any computer,
portable or not, without being encrypted. The only
exception shall be where
there is no reasonable risk of unauthorized access
to the personal information
or it is technologically not feasible to encrypt th
e data as and where
transmitted.

If necessary for the functioning of individual depa
rtments, the department
head, in consultation with the Data Security Coordi
nator, may develop
departmental rules that ensure reasonable restricti
ons upon access and handling
of files containing personal information and must c
omply with all WISP
standards. Departmental rules are to be published
as an addendum to the
WISP.
B.
Access Control Protocol:

All our computers shall restrict user access to tho
se employees having an
authorized and unique log-in ID assigned by the Dat
a Security Coordinator

All computers that have been inactive for 5 or more
minutes shall require re-
log-in

After 5 unsuccessful log-in attempts by any user ID
, that user ID will be
blocked from accessing any computer or file stored
on any computer until
access privileges are reestablished by the Data Sec
urity Coordinator or his/her
designee

Access to electronically stored records containing
personal information shall be
electronically limited to those employees having an
authorized and unique log-
in ID assigned by the Data Security Coordinator

Where practical, all visitors who are expected to a
ccess areas other than
common retail space or are granted access to office
space containing personal
information should be required to sign-in with a Ph
oto ID at a designated
reception area where they will be assigned a visito
r’s ID or guest badge unless
escorted at all times. Visitors are required to we
ar said visitor ID in a plainly
visible location on their body, unless escorted at
all times.

Where practical, all visitors are restricted from a
reas where files containing
personal information are stored. Alternatively, vi
sitors must be escorted or
accompanied by an approved employee in any area whe
re files containing
personal information are stored
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
10

Cleaning personnel (or others on site after normal
business hours and not also
authorized to have access to personal information)
are not to have access to
areas where files containing personal information a
re stored

All computers with an internet connections or any c
omputer that stores or
processes personal information must have a reasonab
ly up-to-date version of
software providing virus, anti-spyware and anti-mal
ware protection installed
and active at all times.

An inventory of all company computers and handhelds
authorized for personal
information storage is contained in Attachment C: C
omputer and Handheld
Inventory, which shall be made known only to the Da
ta Security Coordinator
and other managers on a “need to know” basis:
C.
Third Party Service Provider Protocol:
Any service provider or individual
that receives, stores, maintains, processes, or oth
erwise is permitted access to
any file containing personal information (“Third Pa
rty Service Provider”)
shall be required to meet the following standards a
s well as any and all
standards of 201 CMR 17.00. (Examples include third
parties who provide
off-site backup storage copies of all our electroni
c data; paper record copying
or storage service providers; contractors or vendor
s working with our
customers and having authorized access to our recor
ds):

Any contract with a Third Party Service Provider si
gned on or after March 1,
2010 shall require the Service Provider to implemen
t security standards
consistent with 201 CMR 17.00 (copy attached).

It shall be the responsibility of the Data Security
Coordinator to obtain
reasonable confirmation that any Third Party Servic
e Provider is capable of
meeting security standards consistent with 201 CMR
17.00.

Any existing contracts with Third Party Service sha
ll be reviewed by the Data
Security Coordinator. These Service Providers shal
l meet the security
standards consistent with 201 CMR 17.00 by March 1,
2012 or other Service
Providers will be selected, when feasible to do so.

A list of currently known third party service p
roviders is contained in
Attachment B: Third Party Service Providers
VIII.
Breach of Data Security Protocol:
Should any employee know of a security breach at
any of our facilities, or that any unencrypted pers
onal information has been lost or stolen or
accessed without authorization, or that encrypted p
ersonal information along with the access
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
11
code or security key has been acquired by an unauth
orized person or for an unauthorized
purpose, the following protocol is to be followed:

Employees are to notify the Data Security Coordinat
or or department head in the
event of a known or suspected security breach or un
authorized use of personal
information.

The Data Security Coordinator shall be responsible
for drafting a security breach
notification to be provided to the Massachusetts Of
fice of Consumer Affairs and
Business Regulation and the Massachusetts Attorney
General’s office. The
security breach notification shall include the foll
owing:
o
A detailed description of the nature and circumstan
ces of the security
breach or unauthorized acquisition or use of person
al information;
o
The number of Massachusetts residents affected at t
he time the
notification is submitted;
o
The steps already taken relative to the incident;
o
Any steps intended to be taken relative to the inci
dent subsequent to the
filing of the notification; and
o
Information regarding whether law enforcement offic
ials are engaged in
investing the incident
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
12
Attachment A:
Common Business Records Needs/Associated Retention
and Secure Destruction Periods
Record Time Retained Destroyed On/Destroyed By
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
13
Attachment B:
Third Party Service Providers
Company Name Contact Information Services Provided
Contract Date
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
14
Attachment C – TO BE KEPT CONFIDENTIAL EXCEPT NEED
TO KNOW BASIS:
Computer and Handheld Inventory
Computer Make/Model
Location
Employee Assignment
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
15
Attachment D:
Chapter 93I: Section 2. Standards for disposal of r
ecords containing personal information;
disposal by third party; enforcement
[Text of section added by 2007, 82, Sec. 17 effecti
ve February 3, 2008. See 2007, 82, Sec. 19.]
Section 2. When disposing of records, each agency
or person shall meet the following minimum
standards for proper disposal of records containing
personal information:
(a) paper documents containing personal informati
on shall be either redacted, burned,
pulverized or shredded so that personal data cannot
practicably be read or reconstructed;
(b) electronic media and other non-paper media co
ntaining personal information shall be
destroyed or erased so that personal information ca
nnot practicably be read or reconstructed.
Any agency or person disposing of personal inform
ation may contract with a third party to
dispose of personal information in accordance with
this chapter. Any third party hired to dispose
of material containing personal information shall i
mplement and monitor compliance with
policies and procedures that prohibit unauthorized
access to or acquisition of or use of personal
information during the collection, transportation a
nd disposal of personal information.
Any agency or person who violates the provisions
of this chapter shall be subject to a civil fine
of not more than $100 per data subject affected, pr
ovided said fine shall not exceed $50,000 for
each instance of improper disposal. The attorney ge
neral may file a civil action in the superior or
district court in the name of the commonwealth to r
ecover such penalties.
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
16
PART I. ADMINISTRATION OF THE GOVERNMENT
TITLE XV. REGULATION OF TRADE
CHAPTER 93H. SECURITY BREACHES
[ Chapter 93H added by 2007, 82, Sec. 16 effective
October 31, 2007.]
Chapter 93H: Section 3. Duty to report known securi
ty breach or unauthorized use of
personal information
[ Text of section added by 2007, 82, Sec. 16 effect
ive October 31, 2007.]
Section 3. (a) A person or agency that maintains
or stores, but does not own or license data that
includes personal information about a resident of t
he commonwealth, shall provide notice, as
soon as practicable and without unreasonable delay,
when such person or agency (1) knows or
has reason to know of a breach of security or (2) w
hen the person or agency knows or has reason
to know that the personal information of such resid
ent was acquired or used by an unauthorized
person or used for an unauthorized purpose, to the
owner or licensor in accordance with this
chapter. In addition to providing notice as provide
d herein, such person or agency shall cooperate
with the owner or licensor of such information. Suc
h cooperation shall include, but not be
limited to, informing the owner or licensor of the
breach of security or unauthorized acquisition
or use, the date or approximate date of such incide
nt and the nature thereof, and any steps the
person or agency has taken or plans to take relatin
g to the incident, except that such cooperation
shall not be deemed to require the disclosure of co
nfidential business information or trade
secrets, or to provide notice to a resident that ma
y have been affected by the breach of security or
unauthorized acquisition or use. (b) A person or ag
ency that owns or licenses data that includes
personal information about a resident of the common
wealth, shall provide notice, as soon as
practicable and without unreasonable delay, when su
ch person or agency (1) knows or has reason
to know of a breach of security or (2) when the per
son or agency knows or has reason to know
that the personal information of such resident was
acquired or used by an unauthorized person or
used for an unauthorized purpose, to the attorney g
eneral, the director of consumer affairs and
business regulation and to such resident, in accord
ance with this chapter. The notice to be
provided to the attorney general and said director,
and consumer reporting agencies or state
agencies if any, shall include, but not be limited
to, the nature of the breach of security or
unauthorized acquisition or use, the number of resi
dents of the commonwealth affected by such
incident at the time of notification, and any steps
the person or agency has taken or plans to take
relating to the incident.
Upon receipt of this notice, the director of cons
umer affairs and business regulation shall
identify any relevant consumer reporting agency or
state agency, as deemed appropriate by said
director, and forward the names of the identified c
onsumer reporting agencies and state agencies
to the notifying person or agency. Such person or a
gency shall, as soon as practicable and
without unreasonable delay, also provide notice, in
accordance with this chapter, to the consumer
reporting agencies and state agencies identified by
the director of consumer affairs and business
regulation.
Buchanan & Associates
33 Mount Vernon Street
Boston, MA 02108
www.buchananassociates.com
617.227.8410
17
The notice to be provided to the resident shall i
nclude, but not be limited to, the consumer’s
right to obtain a police report, how a consumer req
uests a security freeze and the necessary
information to be provided when requesting the secu
rity freeze, and any fees required to be paid
to any of the consumer reporting agencies, provided
however, that said notification shall not
include the nature of the breach or unauthorized ac
quisition or use or the number of residents of
the commonwealth affected by said breach or unautho
rized access or use.
(c) If an agency is within the executive departme
nt, it shall provide written notification of the
nature and circumstances of the breach or unauthori
zed acquisition or use to the information
technology division and the division of public reco
rds as soon as practicable and without
unreasonable delay following the discovery of a bre
ach of security or unauthorized acquisition or
use, and shall comply with all policies and procedu
res adopted by that division pertaining to the
reporting and investigation of such an incident.