rules also require the City to develop, implement and provide notice to employees of its security
               policy and various other aspects of the security rules.  This document, which outlines the City’s
               security policy, constitutes your notice as required by the security rules.  This notice also
               supplements the HIPAA Privacy Notice provided to employees and published on April 14, 2003,
               and updated September 14, 2014.

                       The security rules apply to all individually identifiable health information that is in an
               electronic form, whether it is being stored or transmitted.  This includes all administrative and
               financial healthcare transactions covered by the HIPAA Transactions Standards Rule, including
               internal transmissions.  All healthcare providers, health plans, or clearinghouses that
               electronically store or transmit individual health information must comply.

                       The security rules focus on both external and internal security threats and vulnerabilities.
               Threats from “outsiders” may include breaking through network firewalls, e-mail attacks through
               interception or viruses.  Internal threats are of equal concern, and are far more likely to occur
               according to many security experts.  Consequently, organizations must protect against careless
               staff or others who are unaware of security issues.

               Security Officer

                       The security rules require the designation of a security officer.  The City has designated
               Alan Andrews, Deputy City Attorney, as both Privacy and Security Officer.  As Security Officer,
               Alan Andrews will provide leadership and guidance in ensuring the City’s compliance with
               HIPAA and the security rules.  Should an issue arise regarding the City’s compliance with the
               HIPAA Privacy and the Security rules, you may contact the Security Officer or his alternate at:

                              Alan Andrews, Deputy City Attorney
                              101 N. Main Street Winston-Salem, NC  27101
                              Phone:  (336) 747-7401 | Fax:  (336) 747-9285 | email: alana@cityofws.org

               Security Measures

                       As indicated in the City’s Privacy Notice, which can be found in your employee
               handbook, the vast majority of protected health information (hereinafter “PHI”) is held in
               confidence and is not disseminated to the City.  The City’s limited access is facilitated by a
               system maintained by our health insurance carrier.  When PHI, which is limited primarily to
               enrollment and disenrollment information and payment of claims, is disseminated to the City, it
               is provided to certain key personnel in the Human Resources Department whose personnel have
               been trained on the importance of confidentiality and HIPAA.  Employee’s entrusted with access
               to this limited PHI agree to maintain the confidence of PHI in accordance with HIPAA and any
               other applicable federal and/or state laws.  Access is limited to personnel with specific
               passwords, which change on a routine basis, and whose offices are locked after hours.  This
               information is not maintained on a desktop PC and is not accessible from anywhere on the City’s
               network.  When an employee entrusted with PHI leaves the City’s employment, that former
               employee’s password is immediately erased from the system, and keys and passes are retrieved




                                    City of Winston-Salem Employee Handbook November 2014 Revision         45