Data Custodians must:
- Designate appropriate individuals with system administration responsibilities, ensuring that their role in securing the system is defined in their job description, and that they are trained in administration and security of the system.
- Ensure adherence to UAB guidelines and procedures for protecting data as found in IT Security Practices.
- Ensure compliance with all stipulations of this and other UAB policies and other legal and regulatory requirements including those related to dissemination of data (UAB's Information Disclosure and Confidentiality Policy) and disposal of computer equipment and systems (UAB's Equipment Accounting standards, and "Guidelines for secure disposal of media containing sensitive information").
- Ensure that risk assessments are performed (including disaster recovery plans, backup and contingency plans) as required by HIPAA for all PHI. Risk assessment is recommended for all other sensitive or mission critical data.
- Ensure that documentation of data resources created, used, or stored within their area of control is maintained.
- Ensure that systems containing sensitive information are physically secured from unauthorized access.
- Ensure that the department/unit follows procedures to mitigate all identified compromises or identified data security threats.
- Ensure that actual or suspected data security breaches, especially when involving sensitive data, are reported to the Data Security Office immediately and that any recommended corrective action is implemented.
- Ensure that non-UAB entities or contracted third party vendors handle data in accordance with UAB policies and procedures.