HIPAA Core Policy: Contingency Planning

HIPAA Core Policy: Contingency Planning

Abstract:
This policy establishes guidelines for contingency planning for information systems that contain, maintain, or transmit ePHI or other sensitive information.
Effective Date:
3/23/2016
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish policy for contingency planning for information systems that contain, maintain, or transmit ePHI or other sensitive information.

 

2. PHILOSOPHY: Contingency plans should exist for information systems that are critical to patient care and business operations to minimize any disruption of service.

 

3. APPLICABILITY: This policy applies to all UAB/UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital Clinics Callahan Eye Hospital,  , UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, other UABHS managed entities that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions, UAB School of Nursing, School of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this policy, UAB/UABHS Covered Entities shall be referred to as "UAB".

 

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Business Associate (BA): A person or entity (other than an employee of a UAB Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB Covered Entity. A Business Associate of one UAB Covered Entity does not become a Business Associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.

4.1.2. Business Associate Agreement: A legal agreement between UAB and the Business Associate that outlines how the Business Associate will protect the PHI that they store, process, or transmit on behalf of UAB. This is an additional document separate from the contract.

4.1.3. Short-term downtime: Any downtime less than the anticipated system recovery time.

4.1.4. Long-term downtime: Any downtime greater than anticipated system recovery time.

4.1.5. Backup procedure: A detailed step-by-step method for saving data and, if appropriate storing it securely offsite that includes hardware, software, and configuration information.

4.1.6. Downtime procedure: A detailed step-by-step workflow description that ensures continuity of the business and the security of data for use in a recovery procedure. This is equivalent to an emergency mode operation plan.

4.1.7. Contingency plan: A set of strategies that coordinates processes and procedures for the recovery of information systems containing ePHI or other sensitive information following an emergency or disruptive event.

4.1.8. Disaster recovery plan: The combination of a recovery procedure and a restoration procedure.

4.1.9. Restoration procedure: A detailed step-by-step method for recovering a system from backup media. It shall also include details on necessary hardware, software, licensing keys, and system information.

4.1.10. Recovery procedure: A detailed step-by-step method for recovering data or transactions that occur during a system downtime.

4.1.11. Recovery time: The amount of time that it takes to restore information systems to normal operations following a disaster. This includes the amount of time it would take for vendors to replace hardware, installation time, restoration from backup, and the implementation of the recovery procedure.

4.1.12. Secure offsite location: A physically and environmentally safe storage area that is separated from where the originating information systems reside.

4.1.13. Sensitive Information: Any information that may only be accessed only by authorized personnel. It includes protected health information, financial information, personnel and student data, trade secrets, and any information that is deemed confidential or that would negatively affect UAB/UABHS if inappropriately handled or lost.

 

5. POLICY:

5.1. A contingency/disaster recovery plan shall be developed and published for every in-scope system used in each operational area.

5.1.1. The operational area shall develop downtime procedures in conjunction with other departments that maintain information systems

5.1.2. The procedures shall address both short-term and long-term downtime events.

5.1.3. The procedures shall be given to the Entity Security Coordinator for inclusion in the entity’s contingency plan.

5.1.4. The procedure shall be reviewed periodically and updated as business practices change within the operational area.

5.2. All system users shall be trained on downtime procedures so that they know how to respond appropriately and in a timely manner in the event of actual downtime. NOTE: Downtime procedures should be reviewed before a downtime is experienced.

5.3. All downtime procedures shall be published and available within the individual entity.

5.4. The entity contingency plan shall be reviewed by the appropriate management periodically and whenever significant system changes are implemented

5.5. All downtime procedures shall be tested for accuracy and ease-of-use prior to publication and annually.

5.6. All downtime procedure tests shall be documented.

5.7. All downtime procedures shall be reviewed and approved by the affected management prior to publication.

5.8. Systems containing sensitive data shall be backed up at least once per business day. Backup media should be encrypted where possible and securely stored (onsite or offsite) at all times. The backup shall contain the sensitive data and all necessary software required to process the data. 

5.8.1. Full backups to support busiess operations and recovery shall be maintained at all times.

5.8.2. A restoration procedure must be able to restore the system to a state as spcified by the recovery objectives.

5.9. At least three copies of an entity’s contingency/disaster plan will be kept, one in each of the following locations:

5.9.1. Secure offsite storage

5.9.2. Entity Security Coordinator’s office

5.9.3. HIPAA Information Security Office

5.10. HIPAA Information Security Office (UABHS Information Security Office) Responsibilities

5.10.1. Verify that covered entities have proper contingency plans.

5.10.2. Collect and store contingency plans from covered entities.

5.10.3. Verify that contingency plans are tested and revised as needed.

5.10.4. Provide annual reports to the HIPAA Advisory Committee regarding HIPAA contingency plan compliance.

5.11. User Responsibilities

5.11.1. Ensure that sensitive information is stored in a directory on a secure network file server and not on individual workstations.

5.12. System Administrator Responsibilities

5.12.1. Document vendor contacts (with approved BAA), system configuration, backup procedures, and restoration procedures including required hardware and software for inclusion in the entity’s contingency plan

5.12.2. Provide documentation to management on any system backup failure, i.e. a backup process failed due to broken tape.

5.13. Management responsibilities

5.13.1. Ensure that users are trained on downtime procedures.

5.13.2. Ensure that contingency plan is tested and reviewed as needed.

5.13.3. Ensure that the contingency plan is updated as business procedures change or following an activation of the contingency plan.

5.13.4. Provide mechanisms for secure backup of non-electronic forms and data.

5.13.5. Ensure creation, maintenance, and adherence to core policies and procedures including:

5.13.5.1. Emergency contact lists that include managers and system administrators

5.13.5.2. Critical system inventory and configuration

5.13.5.3. Vendor contact lists (i.e. hardware, software, forms, supplies)

5.13.5.4. Alternative working procedures for all critical business functions

5.13.5.5. Backup procedures

5.13.5.6. Restoration procedures

5.13.5.7. Recovery procedures

5.13.5.8. Testing procedures

5.13.5.9. Revision procedures.

5.13.6. Ensure that all published procedures, test results, and other documentary evidence shall be archived for no less than six years.

5.14. Entity Security Coordinator responsibilities

5.14.1. Maintain entity contingency plan including:

5.14.1.1. Emergency contact lists that include managers and system administrators

5.14.1.2. Critical system inventory and configuration

5.14.1.3. Vendor contact lists (i.e. hardware, software, forms, supplies)

5.14.1.4. Alternative working procedures for all critical business functions

5.14.1.5. Backup procedures

5.14.1.6. Restoration procedures

5.14.1.7. Recovery procedures

5.14.1.8. Testing procedures

5.14.1.9. Revision procedures.

5.14.2. Collect updates to entity contingency plan from entity system administrators.

5.14.3. Ensure that recovery time and contingency plan are reviewed and approved by the affected management. Note that contingency planning may cross standard departmental boundaries.

5.14.4. Periodically test the contingency plan, including contacting vendors, to ensure replacement system availability.

5.14.5. Provide the HIPAA Information Security Office with an updated entity contingency plan if/when revised.

5.15. Violations of these standards may result in disciplinary action, up to and including termination of employment assignment.

5.16. Business associates must comply with UAB policies applicable to the nature of their work with UAB. Business associates who do not follow the above policies shall be subject to breach of contract penalties, possible legal prosecution, and other legal remedies/ramifications as available to UAB.

5.17. All business associates shall be required to sign a business associate agreement.

5.18. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.18.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators)

5.18.2. the HSIS Help Desk at 934-8888

5.18.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu

5.18.4. UAB HIPAA Security Office at InfoSec@uabmc.edu or 975-1440

5.18.5. UAB IT Information Security Office at 975-0842

 

6. REFERENCES: None

 

7. SCOPE: This policy applies to all UAB entities covered under HIPAA and their systems that maintain ePHI.

 

8. ATTACHMENTS: None


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.