Security and privacy practices outlined for Dependent Eligibility Verification process

April 22, 2009

Security and privacy practices outlined for Dependent Eligibility Verification process

Faculty and staff who cover dependents on their Purdue medical plan have until May 13 to provide the required material outlined in the Dependent Eligibility Verification Package sent to their homes earlier this month.

Dependents will be dropped from medical coverage if the required documentation is not received by May 13. Employees will not be able to re-enroll their dependents until the next open enrollment period or the occurrence of a qualifying change in family status.

"Throughout this process, the information employees provide will be kept strictly confidential," says John Beelke, director of human resource services. "The security of personal information is Staff Benefits' highest priority."

Purdue has partnered with human resources consulting firm Mercer to conduct the verification program. Mercer is a global leader for HR and related financial advice and services. Throughout the Dependent Eligibility Verification project, Mercer will adhere to the following privacy and security practices.

General privacy and security policies

* All hard-copy materials that contain sensitive information are stored in locked cabinets or drawers when not in use.

* Paper documents that are no longer needed are shredded according to company retention policies.

* Waste paper with client information is disposed of via locked containers and then shredded normally.

* Access to information is granted on a least-privilege and need-to-know basis. Within software applications, a hierarchy of controls limits access to data and system functionality according to levels of authority and job function.

* Access to information requiring elevated privileges is restricted to a limited number of administrative staff who require the information to perform their jobs.

* Personal information transmitted over the Internet is encrypted, using a minimum of 128-bit encryption.

Handling of hard-copy mail and faxed documentation

* All hard-copy documentation is delivered to a restricted access room and does not leave that room for the duration of the project.

* At the end of the project, hard-copy documentation is securely destroyed.

* A limited, specialized team of workers opens, scans, and images all documents.

* Documents are immediately loaded directly to the database as they are being imaged.

* Once in the database, all further review of documents is done via Web access, which provides security controls for access and workflow.

* The Web access system does not allow data entry/verification administrators to download images.

* Mercer receives all faxed documentation in a digital format on a secure server.

For a list of frequently asked questions and more details about the Dependent Eligibility Verification Program, visit the Staff Benefits Web site at www.purdue.edu/benefits