HIPAA Core Policy: Contingency Planning

HIPAA Core Policy: Contingency Planning

Abstract:
This policy establishes guidelines for contingency planning for information systems that contain, maintain, or transmit ePHI or other sensitive information.
Effective Date:
8/22/2012
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Keyword(s):
None Assigned
Material Original Source:

1. PURPOSE: To establish guidelines for contingency planning for information systems that contain, maintain, or transmit ePHI or other sensitive information.

 

2. PHILOSOPHY: It is our belief that contingency plans should exist for all information systems in the event of system failure, technical difficultly, theft, or physical disaster to ensure that patient care and business operations will continue uninterrupted.

 

3. APPLICABILITY: This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or  UAB/UABHS/UAHSF".

 

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Business Associate Agreement (BAA): A person or entity (other than anemployee of a UAB/UABHS Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB/UABHS Covered Entity. A Business Associate of one UAB/UABHS Covered Entity does not become a Business Associate of any other UAB/UABHS Covered Entity simply by virtue of the UAB/UABHS Affiliation.

4.1.2. Scheduled downtime: A planned interruption in service to any hardware/software.

4.1.3. Unscheduled downtime: An unplanned interruption in service to any hardware/software.

4.1.4. Short-term downtime: Any downtime less than the anticipated system recovery time.

4.1.5. Long-term downtime: Any downtime greater than anticipated system recovery time.

4.1.6. Backup procedure: A detailed step-by-step method for saving data and taking it securely offsite that includes hardware, software, and configuration information.

4.1.7. Downtime procedure: A detailed step-by-step method for work that ensures continuity of the business and the security of data for use in a recovery procedure. This is equivalent to an emergency mode operation plan.

4.1.8. Contingency plan: A set of strategies that coordinates processes and procedures for the recovery of information systems containing ePHI or other sensitive information following an emergency or disruptive event.

4.1.9. Disaster recovery plan: The combination of a recovery procedure and a restoration procedure.

4.1.10. Restoration procedure: A detailed step-by-step method for recovering a system from offsite backup media. It shall also include details on necessary hardware, software, licensing keys, and system.

4.1.11. Recovery procedure: A detailed step-by-step method for recovering data or transactions that occur during a system downtime.

4.1.12. Recovery time: The amount of time that it takes for systems following a disaster such as fires to be restored to operation. This includes the amount of time it would take for vendors to replace hardware, installation time, restoration from backup, and the implementation of the recovery procedure.

4.1.13. Secure offsite location: A physically and environmentally safe storage area outside of the originating information systems.

4.1.14. Sensitive Information: Any information that may only be accessed only by authorized personnel. It includes protected health information, financial information, personnel and student data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB/UABHS if inappropriately handled or lost.

 

5. STANDARDS:

5.1. A contingency/disaster recovery plan shall be developed and published for every system used in each operational area.

5.1.1. The operational area shall develop downtime procedures in conjunction with other departments that maintain information systems

5.1.2. The procedures shall address both short-term and long-term downtime events.

5.1.3. The procedures shall be given to the Entity Security Coordinator for inclusion in the entity’s contingency plan.

5.1.4. The procedure shall be reviewed annually and updated as business practices change within the operational area.

5.2. All system users shall be trained on downtime procedures so that, in the event of actual downtime, users know how to respond appropriately and in a timely manner. NOTE: The first time a user sees a procedure SHALL NOT be during a downtime.

5.3. All downtime procedures shall be published and available within the individual entity.

5.4. The entity contingency plan shall be reviewed by the appropriate management annually and whenever significant system changes are implemented

5.5. All downtime procedures shall be tested for accuracy and ease-of-use prior to publication and annually.

5.6. All downtime procedure tests shall be documented by system administrators.

5.7. All downtime procedures shall be reviewed and approved by the affected management prior to publication.

5.8. Systems containing sensitive data shall be backed up to a secure, offsite media at least once per business day, i.e. full backup weekly with incremental backups taken offsite daily. The backup shall contain the sensitive data and all necessary software required to process the data and be stored in an encrypted format.

5.8.1. A minimum of three generations of full backup shall be maintained at all times.

5.8.2. A restoration procedure must be able to restore the system to a state that it was one month or less before the disruptive event.

5.9. At least three copies of an entity’s contingency/disaster plan will be kept, one in each of the following locations:

5.9.1. Secure offsite storage

5.9.2. Entity Security Coordinator’s office

5.9.3. HIPAA Information Security Office

5.10. HIPAA Information Security Office Responsibilities

5.10.1. Verify that covered entities have proper contingency plans.

5.10.2. Collect and store contingency plans from covered entities.

5.10.3. Verify that contingency plans are tested and revised annually.

5.10.4. Provide annual reports to the HIPAA oversight committee regarding HIPAA contingency plan compliance.

5.11. User Responsibilities

5.11.1. Ensure that sensitive information is stored in a directory on a secure network file server and not on individual workstations.

5.12. System Administrator Responsibilitie

5.12.1. Document vendor contacts (with approved BAA), system configuration, backup procedures, and restoration procedures including required hardware and software for inclusion in the entity’s contingency plan

5.12.2. Provide documentation to management on any system backup failure, i.e. a backup process failed due to broken tape.

5.13. Management responsibilities

5.13.1. Ensure that users are trained in downtime procedures.

5.13.2. Ensure that contingency plan is tested and reviewed annually.

5.13.3. Ensure that the contingency plan is updated as business procedures change or following an activation of the contingency plan.

5.13.4. Provide mechanisms for secure backup of non-electronic forms and data.

5.13.5. Ensure creation, maintenance, and adherence to core standards and procedures including:

5.13.5.1. Emergency contact lists that include managers and system Administrators

5.13.5.2. Critical system inventory and configuration

5.13.5.3. Vendor contact lists (i.e. hardware, software, forms, supplies)

5.13.5.4. Alternative working procedures for all critical business functions

5.13.5.5. Backup procedures

5.13.5.6. Restoration procedures

5.13.5.7. Recovery procedures

5.13.5.8. Testing procedures

5.13.5.9. Revision procedures.

5.13.6. Ensure that all published procedures, test results, and other documentary evidence shall be archived for no less than six years.

5.14. Entity Coordinator responsibilities

5.14.1. Maintain entity contingency plan including:

5.14.1.1. Emergency contact lists that include managers and system Administrators

5.14.1.2. Critical system inventory and configuration

5.14.1.3. Vendor contact lists (i.e. hardware, software, forms, supplies)

5.14.1.4. Alternative working procedures for all critical business functions

5.14.1.5. Backup procedures

5.14.1.6. Restoration procedures

5.14.1.7. Recovery procedures

5.14.1.8. Testing procedures

5.14.1.9. Revision procedures.

5.14.2. Collect updates to entity contingency plan from entity system administrators.

5.14.3. Ensure that recovery time and contingency plan are appropriately detailed and approved by the affected management. Note that contingency planning may cross standard departmental boundaries.

5.14.4. Test the contingency plan annually, including contacting vendors, to ensure replacement system availability.

5.14.5. Provide the HIPAA Information Security Office with an updated entity contingency plan annually.

5.15. Violations of these standards may result in disciplinary action, up to and including, dismissal. Attempts at unauthorized access by any individual may be prosecuted to the fullest extent.

5.16. Business associates must comply with UAB/UABHS standards applicable to the nature of their work with UAB/UABHS. Business associates who do not follow the above standards shall be subject to breach of contract penalties, possible legal prosecution, and other legal remedies/ramifications as available to UAB/UABHS.

5.17. All business associates shall be required to sign a business associate agreement.

5.18. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.18.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/securitycontacts.htm)

5.18.2. the HSIS Help Desk at 934-8888

5.18.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu

5.18.4. UAB/UABHS HIPAA Security Office at 975-0072

5.18.5. UAB IT Data Security Office at 975-0842

 

6. REFERENCES: None

 

7. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain ePHI.

 

8. ATTACHMENTS: None


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.