Originally Posted by sailingfun

They put out a two page long follow on letter detailing the mechanics of who would have access.


TECHNICAL, PHYSICAL AND ADMINISTRATIVE SAFEGUARDS FOR MEDICAL INFORMATION PROVIDED BY PILOTS UNDER PWA SECTION 14
The following list contains the technical, physical, and administrative safeguards the Company will implement for information provided by pilots under PWA Section 14 verification and medical release provisions and that are compliant with the health care provider privacy/disclosure protections of the Health Insurance Portability and Accountability Act (HIPAA).
1. Medical information provided by pilots under PWA Section 14 will be maintained in the office of the Director – Health Services (the “DHS office) which will be located in a locked area with limited access.
2. The DHS Office will secure paper records containing medical information provided by pilots or their health providers for the purposes of sick verification or pursuant to a medical release (the “Records”) in a locked filing cabinet that is accessible to only authorized users in order to prevent unauthorized access. Written protocols will be developed to address the process of identifying and approving authorized users.
3. Electronic Records will be secured by implementing controls to limit access to only authorized users with a need to access such records, including:
• Deactivation of an authorized user’s access to electronic Records when such user is reassigned to another job function or such user resigns, retires or is terminated.
• Annual review of authorized users to verify such users still require access to Records.
• Written protocols to address prohibition against removal of Records from the DHS office via hard copy, fax, removable media, or personal email.
• Require laptops and personal handheld devices on which Records may be accessed or stored to be password protected.
• Authorized users of electronic Records will be assigned a user name and be required to change their password on a periodic basis.
• Written protocols to address procedures for changing and safeguarding passwords, and sanctions for sharing of passwords. These protocols will follow the procedures established by the Delta Information Technology (IT) department with respect to other confidential information retained by Delta
Written protocols to address accessing Records only for identified authorized purposes.
• Audit of electronic Records to verify access by only authorized users for authorized purposes consistent with Delta’s IT policies and practices regarding similar records.
4. DHS staff and authorized users will be trained on the privacy and security of Records upon hire and annually thereafter.
5. DHS staff and authorized users will be trained on written protocols on disciplinary action for noncompliance with protocols for Records.
6. Privacy and security reminders will be posted in the DHS office.
7. A Records Officer, who is responsible for supervision of DHS staff and authorized users, will be appointed for enforcement of protocols. Such Records Officer will be the point of contact for reports of concerns regarding the privacy and/or security of Records.
8. Periodic assessment to identify external threats to security of the information system (viruses, malware, hacking) consistent with the assessments performed by Delta with respect to Delta’s other electronic information.
9. Anti-virus and anti-malware protection software on computers used to access Records will be routinely updated.
10. Unsuccessful log-ins or attempts to access Records will be monitored consistent with processes used by Delta for this purpose regarding other stored electronic information.
11. Written protocols will be developed to address persons to contact in the event of a suspected breach of security of Records.
12. Encryption of electronic Records at rest on information system.
13. Destruction of Records (electronic and paper) in accordance with Delta’s record retention policy for similar documents.